b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Size

64KB
MD5

61bdb23ffde7219580319d853dda08b0
SHA1

2cbc4bcb2f78b269658b201c273d2321455e9fd8
SHA256

b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001
SHA512

f2e95650056d52af3c280895ab671b8a91515c5e3458e97b91e38e9196b0f6f3456cb3670fd56ae19589f9cbbe1d45fb91bc5fe118b4f2a233dca13e408d0aaf
SSDEEP

768:UzesBCjA5CrDhlDSPV85LYWzgY5HSjr+rrcccUg42/1H54FYsKA2kms8Y/ts/9dL:lRr3DQV8iWEYhSxWysrPFW2iwTbW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe

Executes dropped EXE 28 IoCs

pid	Process
352	Gbnccfpb.exe
3056	Glfhll32.exe
2688	Geolea32.exe
2884	Ghmiam32.exe
2088	Gkkemh32.exe
2708	Gphmeo32.exe
2468	Hgbebiao.exe
852	Hmlnoc32.exe
2984	Hpkjko32.exe
1320	Hcifgjgc.exe
1216	Hkpnhgge.exe
1604	Hnojdcfi.exe
1204	Hejoiedd.exe
1984	Hnagjbdf.exe
2076	Hlcgeo32.exe
1428	Hobcak32.exe
580	Hgilchkf.exe
1856	Hjhhocjj.exe
2036	Hlfdkoin.exe
1744	Hcplhi32.exe
948	Henidd32.exe
1332	Hhmepp32.exe
604	Hkkalk32.exe
1664	Iaeiieeb.exe
3048	Ieqeidnl.exe
2420	Ihoafpmp.exe
2712	Iknnbklc.exe
2728	Iagfoe32.exe

Loads dropped DLL 60 IoCs

pid	Process
2188	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
2188	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
352	Gbnccfpb.exe
352	Gbnccfpb.exe
3056	Glfhll32.exe
3056	Glfhll32.exe
2688	Geolea32.exe
2688	Geolea32.exe
2884	Ghmiam32.exe
2884	Ghmiam32.exe
2088	Gkkemh32.exe
2088	Gkkemh32.exe
2708	Gphmeo32.exe
2708	Gphmeo32.exe
2468	Hgbebiao.exe
2468	Hgbebiao.exe
852	Hmlnoc32.exe
852	Hmlnoc32.exe
2984	Hpkjko32.exe
2984	Hpkjko32.exe
1320	Hcifgjgc.exe
1320	Hcifgjgc.exe
1216	Hkpnhgge.exe
1216	Hkpnhgge.exe
1604	Hnojdcfi.exe
1604	Hnojdcfi.exe
1204	Hejoiedd.exe
1204	Hejoiedd.exe
1984	Hnagjbdf.exe
1984	Hnagjbdf.exe
2076	Hlcgeo32.exe
2076	Hlcgeo32.exe
1428	Hobcak32.exe
1428	Hobcak32.exe
580	Hgilchkf.exe
580	Hgilchkf.exe
1856	Hjhhocjj.exe
1856	Hjhhocjj.exe
2036	Hlfdkoin.exe
2036	Hlfdkoin.exe
1744	Hcplhi32.exe
1744	Hcplhi32.exe
948	Henidd32.exe
948	Henidd32.exe
1332	Hhmepp32.exe
1332	Hhmepp32.exe
604	Hkkalk32.exe
604	Hkkalk32.exe
1664	Iaeiieeb.exe
1664	Iaeiieeb.exe
3048	Ieqeidnl.exe
3048	Ieqeidnl.exe
2420	Ihoafpmp.exe
2420	Ihoafpmp.exe
2712	Iknnbklc.exe
2712	Iknnbklc.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Henidd32.exe

Program crash 1 IoCs

pid	pid_target	Process
2528	2728	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 352	2188	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 352	2188	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 352	2188	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 352	2188	b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe	28
PID 352 wrote to memory of 3056	352	Gbnccfpb.exe	29
PID 352 wrote to memory of 3056	352	Gbnccfpb.exe	29
PID 352 wrote to memory of 3056	352	Gbnccfpb.exe	29
PID 352 wrote to memory of 3056	352	Gbnccfpb.exe	29
PID 3056 wrote to memory of 2688	3056	Glfhll32.exe	30
PID 3056 wrote to memory of 2688	3056	Glfhll32.exe	30
PID 3056 wrote to memory of 2688	3056	Glfhll32.exe	30
PID 3056 wrote to memory of 2688	3056	Glfhll32.exe	30
PID 2688 wrote to memory of 2884	2688	Geolea32.exe	31
PID 2688 wrote to memory of 2884	2688	Geolea32.exe	31
PID 2688 wrote to memory of 2884	2688	Geolea32.exe	31
PID 2688 wrote to memory of 2884	2688	Geolea32.exe	31
PID 2884 wrote to memory of 2088	2884	Ghmiam32.exe	32
PID 2884 wrote to memory of 2088	2884	Ghmiam32.exe	32
PID 2884 wrote to memory of 2088	2884	Ghmiam32.exe	32
PID 2884 wrote to memory of 2088	2884	Ghmiam32.exe	32
PID 2088 wrote to memory of 2708	2088	Gkkemh32.exe	33
PID 2088 wrote to memory of 2708	2088	Gkkemh32.exe	33
PID 2088 wrote to memory of 2708	2088	Gkkemh32.exe	33
PID 2088 wrote to memory of 2708	2088	Gkkemh32.exe	33
PID 2708 wrote to memory of 2468	2708	Gphmeo32.exe	34
PID 2708 wrote to memory of 2468	2708	Gphmeo32.exe	34
PID 2708 wrote to memory of 2468	2708	Gphmeo32.exe	34
PID 2708 wrote to memory of 2468	2708	Gphmeo32.exe	34
PID 2468 wrote to memory of 852	2468	Hgbebiao.exe	35
PID 2468 wrote to memory of 852	2468	Hgbebiao.exe	35
PID 2468 wrote to memory of 852	2468	Hgbebiao.exe	35
PID 2468 wrote to memory of 852	2468	Hgbebiao.exe	35
PID 852 wrote to memory of 2984	852	Hmlnoc32.exe	36
PID 852 wrote to memory of 2984	852	Hmlnoc32.exe	36
PID 852 wrote to memory of 2984	852	Hmlnoc32.exe	36
PID 852 wrote to memory of 2984	852	Hmlnoc32.exe	36
PID 2984 wrote to memory of 1320	2984	Hpkjko32.exe	37
PID 2984 wrote to memory of 1320	2984	Hpkjko32.exe	37
PID 2984 wrote to memory of 1320	2984	Hpkjko32.exe	37
PID 2984 wrote to memory of 1320	2984	Hpkjko32.exe	37
PID 1320 wrote to memory of 1216	1320	Hcifgjgc.exe	38
PID 1320 wrote to memory of 1216	1320	Hcifgjgc.exe	38
PID 1320 wrote to memory of 1216	1320	Hcifgjgc.exe	38
PID 1320 wrote to memory of 1216	1320	Hcifgjgc.exe	38
PID 1216 wrote to memory of 1604	1216	Hkpnhgge.exe	39
PID 1216 wrote to memory of 1604	1216	Hkpnhgge.exe	39
PID 1216 wrote to memory of 1604	1216	Hkpnhgge.exe	39
PID 1216 wrote to memory of 1604	1216	Hkpnhgge.exe	39
PID 1604 wrote to memory of 1204	1604	Hnojdcfi.exe	40
PID 1604 wrote to memory of 1204	1604	Hnojdcfi.exe	40
PID 1604 wrote to memory of 1204	1604	Hnojdcfi.exe	40
PID 1604 wrote to memory of 1204	1604	Hnojdcfi.exe	40
PID 1204 wrote to memory of 1984	1204	Hejoiedd.exe	41
PID 1204 wrote to memory of 1984	1204	Hejoiedd.exe	41
PID 1204 wrote to memory of 1984	1204	Hejoiedd.exe	41
PID 1204 wrote to memory of 1984	1204	Hejoiedd.exe	41
PID 1984 wrote to memory of 2076	1984	Hnagjbdf.exe	42
PID 1984 wrote to memory of 2076	1984	Hnagjbdf.exe	42
PID 1984 wrote to memory of 2076	1984	Hnagjbdf.exe	42
PID 1984 wrote to memory of 2076	1984	Hnagjbdf.exe	42
PID 2076 wrote to memory of 1428	2076	Hlcgeo32.exe	43
PID 2076 wrote to memory of 1428	2076	Hlcgeo32.exe	43
PID 2076 wrote to memory of 1428	2076	Hlcgeo32.exe	43
PID 2076 wrote to memory of 1428	2076	Hlcgeo32.exe	43

C:\Users\Admin\AppData\Local\Temp\b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b80f7614e31f9790fb9b546e0de10be33e7106d3f07502cd9f0dcbbccc4c5001_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Gbnccfpb.exe
  C:\Windows\system32\Gbnccfpb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\SysWOW64\Glfhll32.exe
    C:\Windows\system32\Glfhll32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\Geolea32.exe
      C:\Windows\system32\Geolea32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
64KB

MD5
df518769c7c40937980835aa2b03e906

SHA1
d85b17aba80a1b124616a6322e4bbdc10d3b202a

SHA256
ac9ca521922c663af777b4de08eef1d3fe1844032ea5b43323e92bac68aacb02

SHA512
80cf5dd6c798821456896490a470b17d870442bead7179cac7de5ba5cbafe923525463cfda5c2ba464d881fe63efe7d954369e43f3a70f5a529888e7815a5bf9

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
64KB

MD5
d2d0fd77847223c4a5824a2cb715c148

SHA1
afa25c490631d38e72bb3098faf48e57c1e76e05

SHA256
bc5fcf01e746358e17c164ce945142a0bc0dda159f7cecb8bf0697186e6fabfb

SHA512
3440d899f5bf88f576b26dd8062a06a21acc4eed7bf7d9f425de33ae5e0c70dcc6db8bfcc3781d079f081e2a0928286750f687eaf0629b80a12acd76843dfc24

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
64KB

MD5
0dc451db86024a28436b7ab4ec831207

SHA1
ba8e5c5d04ab85cd02133f52ec808a267cb288ab

SHA256
a457c1c16659e6d7c6cc9ee035dfccc828a51a1e2f5e0cf0827810fe2d493a60

SHA512
59238d573a21a7b77067d7c3f47a9d42dbe09608bb68e8341337e55c712503e1586e56588286e9397f19141e821e173057a7f969ffbd9b3cf401cb6d52cfba10

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
64KB

MD5
29c6b2de22040f714ef033cfe3b28eb0

SHA1
7679706743ce84f67dcda377d27f86096e2ff201

SHA256
f47cd217347ca9aa325a1c34d187c09c138cbe97ce77d80d1c85f213e93b26f8

SHA512
8b551ebb018b2fa933fe832c3e8861c2965e7fbb3daf9090743464afda013e09f78e3abb08ee6187457dd99bbff35c0bd9f18d6269de30e52cb130bd58a5d65d

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
64KB

MD5
68808883caebb41322bcf60ed87f0aab

SHA1
9555dc05bd66070eb9e00ef42149bd84cf15f7a0

SHA256
55362c845d2249ae2a08db8fc0d57435a7cf472268ded85790c780f8aafa660b

SHA512
cbd96515e357229eea83c1ff454ca63d19140668e9a0c419186516acb9a8eb08061906f156833d2950b52cbfb5a07def35eb085e16643cc70a26ed0cf3addd21

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
64KB

MD5
691024bbda8b686e8563060514371637

SHA1
3a411ccca5657d1037410f0aa486f42a75e30bc1

SHA256
acde2e33ddb5ed9c7818dded074f1250a8dc79902400b7bc2917e3f145d4dc3e

SHA512
fe447f90e8a59be96e5c955cab004f993707099c2ddf4f1b4132f75ca91910b388ae34d9288ddb5ea8447b5fd8c6e667968c81f5fbb9d4fa65df1d3eedb22727

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
64KB

MD5
2dc4b725c3d47e1bbdddad387f5b7bd5

SHA1
6c944088f562d782b6ea9dd3b1aeb87637c5f52e

SHA256
b4019f6f1b89f60635d0a2832008cc0f6b1de305a103d6fd99f422803ddd8293

SHA512
6dbe2c3163bb3380d8e256a5b42a2048f41c371b6c74737e86fedd333c48bbad9049970c0a1b6ee8a748908ac50d58888655c99a1721a41bf4aede921f471c90

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
64KB

MD5
dd884de3d3a164f6564aafda30fbd9ac

SHA1
e90d9afc5918e6789fd9bb788d7fe218f2678af9

SHA256
badd501b804dc0230028d16d56dc33d0ba5a11e89b7592e817fbff1221b61057

SHA512
f3ee6134f3608e9cad4a670ae3861203208ae2af64ac867b14bffd30f7b82c2844dc6f1d32a6fc03ef21d5d34a76c2a7e4ef1c67e13f2c8f3a0f5105f6e2c6e2

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
64KB

MD5
d17c9b06472c731c6c22d6a0ecc7c2f2

SHA1
510026c99cf7b2582b97fc11addd33e9a7417f8b

SHA256
89c6c01a51d38abb58ba7f8a6cd9f32638c7776c6d90bc0df6f4ee038f253622

SHA512
e77b28aa321a49149c58b6a2ef2ce42234e3f1787fb778c50c42178f56d5aefc583c6ff5fcad51f5a9cc01990f35daea6c345a50295af28906c0175ad04c01db

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
64KB

MD5
b23f9741ba329b79713970eba363705a

SHA1
4af8de5bc179e753de7d3850a21aecf01095dfdc

SHA256
d02f02649a8677d8b56314b4cc74e4f528b432160816e7df1a6adedd38740b3f

SHA512
aa84117c968cc327fd66b17d5beab62c0a8f5577988a8ad7585fdaa821ed989e9829b03ab6c4177e33ea84d7678fe21c6bc675176a08f49638afd6c1f94e9611

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
64KB

MD5
748e1008a9d84d634f2c72564e4913c6

SHA1
c4231f871388ed12a4bc56c8934deff4833813d0

SHA256
930fc5c9f1013d5b5aeb6d099df45e44f9ab9aaa856975f7c6a6b5ba53ab8d7a

SHA512
b1c4a54e918b2fd2f95656a195f364220296909b5e265d2cfcee13300d32e1f24e84fa8cc867d34f77cd1701e9de7c032a2a1e46639f8458e9301c45937820bd

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
64KB

MD5
7eb81c3d7f448b69796ebb408fee06d0

SHA1
45e0a8475c1a7b4d976bb9cd3800f58a260b2861

SHA256
4621e354a13f66530034ae8a1590722b8e1d204599aed614fbf5f55603e3f983

SHA512
3d5879001146957d5f43f6e7687729a23a6b8b76ac056571eccb560214ccf452e42d5ecebe41b130c47e5594499990e53af6711affa01fba4d1a56cdd32d06c9

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
64KB

MD5
106b1b7fb70f4d276e7bfb1b720872fa

SHA1
8c1d5136e670067a88de7e4cd8d39587ea4ed89d

SHA256
fd7c9814013bd011e7891c7e23f2b40d2804cd9da0eb342ac4150ba67e9e41b8

SHA512
d0538e3b194d3a236c9ee010e68998062173ba4c9fc45fbc86c7d4e0f059dd994c9c99c5577d5bb99dbe94170fb56666654c9c470c32e15bfcc35310beee7105

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
64KB

MD5
619277b7f7ede184983586d6cf23200c

SHA1
1013d9034f7135c991a9109607d44909e22f3d98

SHA256
f1e5086591054b38ca975981fdfb284b72c2516a3a52b289d7f2e91f807793bc

SHA512
cf99c13449893006e223036953d8f72bd51c404518bd3cd01b8950a12b4cab672cb587faa5b32a714f712238ceed7bc210944e9c48776b9b3cec18f9036b9925

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
64KB

MD5
e80e6373b0202c74e62a9252190936ac

SHA1
6853ebfd0c26a3bb0977bf1401df528c527ae770

SHA256
a314aa535420d56a24e7f3bbcb6e0d0c907cb0e51cc66398bca914d215108f90

SHA512
f99a383254a6f25be44634f24d41e0f7b2e6d621423b2308448bad01d7cb6dd04488aa2af080ff56bef7bafa5e23c79876d2f97786ba2d3a8c807dba73152961

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
64KB

MD5
17c144665c4f56ccc962abd90f4a8208

SHA1
611f3a8840510b49cac898239ea5a01720125ec7

SHA256
394ab595a3d5c21478554a59483fb5167bdc2028f451a7cd7db0a5cdf4513d32

SHA512
7732e1da3c2d0beada0f88b47df1f9608245403781120ed5981fa895fdb7e50acc4b6e01be70ddb77aeeb2556721fbb343eef27752a6329c84872597466ff231

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
64KB

MD5
bba299b34e513baf97ae7db5a8c14a69

SHA1
e981bea89f0819a16005d76903d96b8682a9f45c

SHA256
8409928eca74d2cca0b884e605c079f08bc7be28419d88cba3cd01b63d71a251

SHA512
4d09e166bfba37d468d1645668ab962ace41ef90a50892976abb59f602c706a6f38bee71c3420267fefad8d3653981ef378f494c409f75bc7335725aeba7f263

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
64KB

MD5
0aa176263d3739e644df680f89081b6f

SHA1
54f0c38b2c14c1859e01440381b983df0a5fd837

SHA256
2b77d542ac459c42210ba3ae6a15554c51c830749c8f19ff90e132a86c513b44

SHA512
6b09ee4b471b326adf299a6738d5a85e3c7b8dae560d3973b4a814a5fa3e0c8038e664c43b04e71b1edc0748feb6e51c6388e05c78d2faf80b526d301bd2b57c

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
64KB

MD5
400e3b79eb55dacff6298aaaa63a6f09

SHA1
30f9f862181b023f831bfad6159efa3ef007d086

SHA256
880ba14401d706982b9cab3938454512fd5fe3ecbc1c005b51a1489a48fe8421

SHA512
70a39b0b8350e5b720ac0ce2bf3a7554b5d53425451d89e2f5840516866a444ef33ffdd21ea32447ffccc5fbf68d61cea47d06b9121b09368fb1ab275f50b906

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
64KB

MD5
47e9b83fb567ec3163108ff482f775f6

SHA1
42349279f6a8548b3322cf8d3e72d1252a4566d8

SHA256
11b547e467c41b3726c4f9ad6300ef149d4a729f6c2daba4e14586b7e76c6427

SHA512
e355d012696421e8fce75705f9f974d9baed7f6da8bd97415be57012447a0b610e96b9b0d8ef3b4ade8cd8d1414217a08bc44e83afdd68f0bdb88954b3de6a11

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
64KB

MD5
7de3d67f10be29009f1a1e9034e7868c

SHA1
4e0a71b4a21ef7e7229a52d6bab1d45cf7b55202

SHA256
8d8caf3bdfc03fb2895f60134635d8ec7457dcd863654592c03b9a86d35323af

SHA512
0a275c9d58857e7997fa28f312f29adc95ce7c4d2c873c5ecc5a0ef3654824e730d7752bb0d2c6ce3eb3defb0119081b998fe90b260e276cb63342d1aa1b45d1

Download Submit
\Windows\SysWOW64\Geolea32.exe

Filesize
64KB

MD5
124bf7523abc2812899e38fb0b9bc881

SHA1
a41638e22f34088d9bff907d6ea9fdf830e92116

SHA256
c12720b2240715c3514c179e68767f064f2701eb67b1ba78e3d08e62917038de

SHA512
afe331d77fa33827ae39ff153bd95b012285c6682200de5681a3e91d3d1e3b2a48fea994a8fc2a02d093b6bd2c11bd3498d49c76722c5376e105b5e6b5a93650

Download Submit
\Windows\SysWOW64\Gkkemh32.exe

Filesize
64KB

MD5
6762eb380ac239df0543b1fdec89cb47

SHA1
e2fb85602f7d57884791ce68c20e94e6eecbc5c5

SHA256
0ff88b82b72028641982dca564fb337c0f09f6cbf586b14c822d79a4fec16613

SHA512
ae74777bb8140a88deb26f31b9a67001e12a03d0e46fc1efbe629f856ed3b8aed1b184d1dee1b26511a650ce8379c28091e54dac43bc1bcf8793c2a8fb21a426

Download Submit
\Windows\SysWOW64\Gphmeo32.exe

Filesize
64KB

MD5
79e6f79d5395d50e2ef5670ece1ca73d

SHA1
3e1672dc766a08dde7afa494bbefb61c496547ab

SHA256
a5bba03cdfb02e59f5d5105f99270c978ae51e074473a4ca677a00ea0bc5e005

SHA512
ade74ddeebf9d2a13b78e24d0b27aa21393935771b8fffb1d4cce9b34dfce5bc32b15195d629f59df20cfdfc658159224a5fc09bf15f70ba91fa621e8f4335e7

Download Submit
\Windows\SysWOW64\Hcifgjgc.exe

Filesize
64KB

MD5
c094559b96c20c4197c84bb895e115c9

SHA1
c0d93d8e332e2d135af0cb883e65ac182ba8660e

SHA256
35a8945e2d333c586b5cfaa0f43f429036d709408833bce21ce63ded2a949bca

SHA512
88ba1e5416cfa33c7b2607294027cc9f18ebbc17cbdaaada8dfc1758186991828aa72d16738e45424a57aaaf6069a8d903477f7688ba6813ba9356097950c446

Download Submit
\Windows\SysWOW64\Hgbebiao.exe

Filesize
64KB

MD5
d6507ef0c82bb5ff53239af6f7ccdeca

SHA1
313f1931e47fe8ed7180d42d1c5fb832eb82f65a

SHA256
73ad66484b002db8aaef800c3448308b9ac1ec3eca749b0accbf1d45d9609f11

SHA512
3a59ada6a67c3672e8791aed110f4a3fb76f7968788b39f8ebc285d36f2bca8ea417aec64d1c6d7151196bda9b78b360ecd3367fa908e94d2f44954b3686a264

Download Submit
\Windows\SysWOW64\Hobcak32.exe

Filesize
64KB

MD5
62a3e83e6929d499a1a34c2e56f9f6bf

SHA1
0594a8d8a2a948c82601feac53ca9f4fd78a60d3

SHA256
1a9fe8f8cac5c61c543af2a8ddcfa7dd0c45f34885a574cf42a9c20b0ac06774

SHA512
9c165d9e0f34fd415e079f8369e633f5d5f90bbd3cece74f3207ec4fb3f78d428bee954462a1c596db707be13656d7a3266cfdef771fb180437a4f50a5bc2850

Download Submit
\Windows\SysWOW64\Hpkjko32.exe

Filesize
64KB

MD5
d4e761aab28e985026299bb73e97245a

SHA1
fe9b379ff28a9fd501d4774133601221bf1a2033

SHA256
7d849306a9a7978b1621e283ad55863b919a1cf706aeee87e75602b5a5575d95

SHA512
88e5a25ef6e2222f40496aa166ca6ce170211c3f88c07b84a923f9616c537842a05765c8e667ded90c77bc97d71fa19c10585845a345d9efaee57e0a040cafde

Download Submit
memory/352-25-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/352-93-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/580-250-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/580-326-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/580-245-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/604-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/604-360-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/852-113-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/948-356-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/948-288-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-196-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/1204-270-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1216-167-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1216-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1216-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1320-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1320-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1332-294-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1332-303-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/1332-359-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1428-243-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1428-242-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1428-225-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1428-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1428-313-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1604-168-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1604-176-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/1604-183-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/1604-261-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1664-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1664-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1744-286-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/1744-346-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/1744-345-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1744-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-334-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1856-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-257-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1984-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-274-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2036-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2076-210-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2076-289-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2076-224-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2088-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2088-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-105-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2188-7-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2188-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2420-364-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2420-336-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2420-363-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2420-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2468-92-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2468-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2688-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-78-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2712-357-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2712-365-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2712-347-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2728-366-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2728-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-52-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-222-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-122-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-136-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2984-138-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2984-226-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2984-228-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/3048-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3056-33-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/3056-26-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3056-112-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads