da3b09b906a8bedc56ad07ad260f6a4366c47168d379df2bbaebf3ed4978f9b3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Size

98KB
MD5

a84e4e73f6b7f6a601e8cc6edf1621a0
SHA1

d9f8522b4bda5a58522072b007e4d996e1a5963b
SHA256

da3b09b906a8bedc56ad07ad260f6a4366c47168d379df2bbaebf3ed4978f9b3
SHA512

dc5bbf8b74fb47e56d2ebb12720c96dc3e496f999e4da10468743717f801f04f20b3c20513398b3d09bfe05646a760f390193beb48531d0cca20cbcbb254947e
SSDEEP

3072:xa1jjtY9+UHAqHvYjM1yEqCeFKPD375lHzpa1P:xsftnUHAqPm1ENeYr75lHzpaF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodpgjha.exe

Executes dropped EXE 30 IoCs

pid	Process
1584	Fmhheqje.exe
2596	Fioija32.exe
2644	Fbgmbg32.exe
2836	Feeiob32.exe
2164	Gonnhhln.exe
2556	Gegfdb32.exe
2536	Ghfbqn32.exe
1780	Gbkgnfbd.exe
1888	Ghhofmql.exe
1912	Gobgcg32.exe
2392	Gaqcoc32.exe
2780	Gacpdbej.exe
2200	Ggpimica.exe
1772	Gaemjbcg.exe
2816	Gddifnbk.exe
2252	Hgbebiao.exe
2136	Hmlnoc32.exe
828	Hgdbhi32.exe
2448	Hkpnhgge.exe
2332	Hdhbam32.exe
2040	Hggomh32.exe
2460	Hpocfncj.exe
1188	Hobcak32.exe
920	Hcnpbi32.exe
2876	Hodpgjha.exe
1540	Henidd32.exe
2936	Hlhaqogk.exe
2736	Ieqeidnl.exe
2312	Ihoafpmp.exe
2260	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2236	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
2236	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
1584	Fmhheqje.exe
1584	Fmhheqje.exe
2596	Fioija32.exe
2596	Fioija32.exe
2644	Fbgmbg32.exe
2644	Fbgmbg32.exe
2836	Feeiob32.exe
2836	Feeiob32.exe
2164	Gonnhhln.exe
2164	Gonnhhln.exe
2556	Gegfdb32.exe
2556	Gegfdb32.exe
2536	Ghfbqn32.exe
2536	Ghfbqn32.exe
1780	Gbkgnfbd.exe
1780	Gbkgnfbd.exe
1888	Ghhofmql.exe
1888	Ghhofmql.exe
1912	Gobgcg32.exe
1912	Gobgcg32.exe
2392	Gaqcoc32.exe
2392	Gaqcoc32.exe
2780	Gacpdbej.exe
2780	Gacpdbej.exe
2200	Ggpimica.exe
2200	Ggpimica.exe
1772	Gaemjbcg.exe
1772	Gaemjbcg.exe
2816	Gddifnbk.exe
2816	Gddifnbk.exe
2252	Hgbebiao.exe
2252	Hgbebiao.exe
2136	Hmlnoc32.exe
2136	Hmlnoc32.exe
828	Hgdbhi32.exe
828	Hgdbhi32.exe
2448	Hkpnhgge.exe
2448	Hkpnhgge.exe
2332	Hdhbam32.exe
2332	Hdhbam32.exe
2040	Hggomh32.exe
2040	Hggomh32.exe
2460	Hpocfncj.exe
2460	Hpocfncj.exe
1188	Hobcak32.exe
1188	Hobcak32.exe
920	Hcnpbi32.exe
920	Hcnpbi32.exe
2876	Hodpgjha.exe
2876	Hodpgjha.exe
1540	Henidd32.exe
1540	Henidd32.exe
2936	Hlhaqogk.exe
2936	Hlhaqogk.exe
2736	Ieqeidnl.exe
2736	Ieqeidnl.exe
2312	Ihoafpmp.exe
2312	Ihoafpmp.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Ggpimica.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Fioija32.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Fioija32.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	2260	WerFault.exe	57

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll"	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hpocfncj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1584	2236	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 1584	2236	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 1584	2236	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 1584	2236	a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe	28
PID 1584 wrote to memory of 2596	1584	Fmhheqje.exe	29
PID 1584 wrote to memory of 2596	1584	Fmhheqje.exe	29
PID 1584 wrote to memory of 2596	1584	Fmhheqje.exe	29
PID 1584 wrote to memory of 2596	1584	Fmhheqje.exe	29
PID 2596 wrote to memory of 2644	2596	Fioija32.exe	30
PID 2596 wrote to memory of 2644	2596	Fioija32.exe	30
PID 2596 wrote to memory of 2644	2596	Fioija32.exe	30
PID 2596 wrote to memory of 2644	2596	Fioija32.exe	30
PID 2644 wrote to memory of 2836	2644	Fbgmbg32.exe	31
PID 2644 wrote to memory of 2836	2644	Fbgmbg32.exe	31
PID 2644 wrote to memory of 2836	2644	Fbgmbg32.exe	31
PID 2644 wrote to memory of 2836	2644	Fbgmbg32.exe	31
PID 2836 wrote to memory of 2164	2836	Feeiob32.exe	32
PID 2836 wrote to memory of 2164	2836	Feeiob32.exe	32
PID 2836 wrote to memory of 2164	2836	Feeiob32.exe	32
PID 2836 wrote to memory of 2164	2836	Feeiob32.exe	32
PID 2164 wrote to memory of 2556	2164	Gonnhhln.exe	33
PID 2164 wrote to memory of 2556	2164	Gonnhhln.exe	33
PID 2164 wrote to memory of 2556	2164	Gonnhhln.exe	33
PID 2164 wrote to memory of 2556	2164	Gonnhhln.exe	33
PID 2556 wrote to memory of 2536	2556	Gegfdb32.exe	34
PID 2556 wrote to memory of 2536	2556	Gegfdb32.exe	34
PID 2556 wrote to memory of 2536	2556	Gegfdb32.exe	34
PID 2556 wrote to memory of 2536	2556	Gegfdb32.exe	34
PID 2536 wrote to memory of 1780	2536	Ghfbqn32.exe	35
PID 2536 wrote to memory of 1780	2536	Ghfbqn32.exe	35
PID 2536 wrote to memory of 1780	2536	Ghfbqn32.exe	35
PID 2536 wrote to memory of 1780	2536	Ghfbqn32.exe	35
PID 1780 wrote to memory of 1888	1780	Gbkgnfbd.exe	36
PID 1780 wrote to memory of 1888	1780	Gbkgnfbd.exe	36
PID 1780 wrote to memory of 1888	1780	Gbkgnfbd.exe	36
PID 1780 wrote to memory of 1888	1780	Gbkgnfbd.exe	36
PID 1888 wrote to memory of 1912	1888	Ghhofmql.exe	37
PID 1888 wrote to memory of 1912	1888	Ghhofmql.exe	37
PID 1888 wrote to memory of 1912	1888	Ghhofmql.exe	37
PID 1888 wrote to memory of 1912	1888	Ghhofmql.exe	37
PID 1912 wrote to memory of 2392	1912	Gobgcg32.exe	38
PID 1912 wrote to memory of 2392	1912	Gobgcg32.exe	38
PID 1912 wrote to memory of 2392	1912	Gobgcg32.exe	38
PID 1912 wrote to memory of 2392	1912	Gobgcg32.exe	38
PID 2392 wrote to memory of 2780	2392	Gaqcoc32.exe	39
PID 2392 wrote to memory of 2780	2392	Gaqcoc32.exe	39
PID 2392 wrote to memory of 2780	2392	Gaqcoc32.exe	39
PID 2392 wrote to memory of 2780	2392	Gaqcoc32.exe	39
PID 2780 wrote to memory of 2200	2780	Gacpdbej.exe	40
PID 2780 wrote to memory of 2200	2780	Gacpdbej.exe	40
PID 2780 wrote to memory of 2200	2780	Gacpdbej.exe	40
PID 2780 wrote to memory of 2200	2780	Gacpdbej.exe	40
PID 2200 wrote to memory of 1772	2200	Ggpimica.exe	41
PID 2200 wrote to memory of 1772	2200	Ggpimica.exe	41
PID 2200 wrote to memory of 1772	2200	Ggpimica.exe	41
PID 2200 wrote to memory of 1772	2200	Ggpimica.exe	41
PID 1772 wrote to memory of 2816	1772	Gaemjbcg.exe	42
PID 1772 wrote to memory of 2816	1772	Gaemjbcg.exe	42
PID 1772 wrote to memory of 2816	1772	Gaemjbcg.exe	42
PID 1772 wrote to memory of 2816	1772	Gaemjbcg.exe	42
PID 2816 wrote to memory of 2252	2816	Gddifnbk.exe	43
PID 2816 wrote to memory of 2252	2816	Gddifnbk.exe	43
PID 2816 wrote to memory of 2252	2816	Gddifnbk.exe	43
PID 2816 wrote to memory of 2252	2816	Gddifnbk.exe	43

C:\Users\Admin\AppData\Local\Temp\a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a84e4e73f6b7f6a601e8cc6edf1621a0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Fmhheqje.exe
  C:\Windows\system32\Fmhheqje.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\Fioija32.exe
    C:\Windows\system32\Fioija32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Fbgmbg32.exe
      C:\Windows\system32\Fbgmbg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        31⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
98KB

MD5
f6e49c7dea89190ca9e542c3a006ff30

SHA1
047e85b9b396df5289984e95a468751d4b8b7bbc

SHA256
65283c25ea28ef5bf0d3b8ecbab3e8f9838765519d408495b2a1ddf7679b10f6

SHA512
7df0603dc566cb0b9c19f6f9f7ce5416b960b9114da7d69aa6e195ca02ce65b9918173dae1abec5a1a7a88156a8e828882a487043c459d1734e565cb53fe60fd

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
98KB

MD5
51f3541a3e671f8cdd03d5c193ccc5a7

SHA1
1afdd2167cda0515273bb3ab030d5431fc4b8f8c

SHA256
8aedb086231c1f8b95abb5fa4c573b945cebcb087b1499c5dd61860308f5960e

SHA512
0b17f61f9097bf27d6f63dd2dab8967f54aa9f199999c0b1e5ef9fbb2655d808dc5aa5d8991ed5fb9da4e99aa00e27b53b3fdbf9b538d466c952ab2121b03695

Download Submit
C:\Windows\SysWOW64\Ghhofmql.exe

Filesize
98KB

MD5
24cd213bff59cd84954528ddc825d3f6

SHA1
1ac63efbb495767a09db01d14430f7a73b05c7df

SHA256
d42f6e179806f0ce6dd9d8452c27f4ce570152f65858611e220f9ebf4e7a1b6d

SHA512
826a0c7613690f4641f2d92c56f974e10841a9986d7515704bf1bf1ca6bd1befd7a698b219d0dcae08ca9c002a5176c9c331587ceb52ce7e961dec024134d077

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
98KB

MD5
955f4c0276502f9386477ef5f5c58ecf

SHA1
3d7b659759a4c0afd48749b5bac82af3b515fb28

SHA256
4613bbb0df32d3ccdf2c9b923a5f5f76d754410f07af5b3641633891b420d9d0

SHA512
06ca3168347bd7afb13cdda1b36fefe51383689835707578068eff910bfd09428bff951da84da6c3f665cd49783fb33919bb7f65c38a5e80c9664f35fbf66e0f

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
98KB

MD5
a5694069e30e747424dbb43c6c116f8e

SHA1
18dc532ac5e8ec29aa28bf5ee105802386056e41

SHA256
147b56836d9bb6c060dfae8b7cce9e2a5c33731868cf8badaa9adf2bfc425c11

SHA512
290846fb12d1e00aff261a29b3be21854ed3904a05a73cb8c108279bf0cada7fa7dc17a2573ee80274761b68296dbfc0897f28d33cf872a404ef3457cc727e03

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
98KB

MD5
de1ab822f8155328ff33c5428a12546a

SHA1
c9ae098a522eb91ef20d4f40c44bdd7a2e662d28

SHA256
fe41312220c1c51f9524a4d6e77f58405676d1ffb2df9f8e9535212def60e197

SHA512
30c4f22dc6eb84bec9a8c3d95e0919f794cd8043feccb5213fa4eb664e87608a9bea6d003d8f81c55f4315c2c4d29e8493afaf05af83f98aa4dc307d04473484

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
98KB

MD5
0e9d37fad70fd07397462e0117da1b5c

SHA1
f85536a27409f21226b3f6216516ed7fd4d499dd

SHA256
c3a81eb6ab949f74c36178f2cd65db05a1a7a638250b6bf5a9be74bd7dcc75ba

SHA512
d7cb3df19101f68eac9a3a69c4f0127375f4688bfbdfb96e57900dade5e2f7ed2291fcdd6431a97aa945f350c9575e80962bc3b9d877c09e27b1d6e4932ff8ad

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
98KB

MD5
c26a70fbdbfd2657d90f2d2b8cbaf5fc

SHA1
8c079d0fb704a63a83e5b3cabb31364f1a6fd2d5

SHA256
941a4e9ceb9ac7dd20778c65e20a682c5dca41bc361eb012624df6122764ca24

SHA512
a59b82ac9a6341c17c8b76963a26585ee52301b75d9abbc7b9372c111a1edc228f1415b742c834627453784d4c5b87b2edbd3a262dcfbd6303196beb158768e3

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
98KB

MD5
1c41e97a01ce5201b50db5aed5dd8b59

SHA1
4920f596fa451e410a72b7f4630d32350ae45431

SHA256
2178615db026152bb5194b22c5883a8feefbb8f0b4782f48bbf0a76d36261bd7

SHA512
c29c94753f4b747ded43b5df91b4ea90a38a36f7e4380f92364a4f42b9e66e91e50bbb09c234abc148b9b934742fcc2307ab841e198e36895c3a0da7e63ed5bf

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
98KB

MD5
50ba08ad157ce9fcd140c278183a411b

SHA1
44c12ef56e7330befa71cdf410410f950ac9de1c

SHA256
6ddcfcd602cffe67f83f76ffddf4e5e4a280f86bce490a1a9d391a147c4d1665

SHA512
bbbdd2a55bbb6bcc6dd69222305dba7c412eab1433835960de0edf35999c3bd475fecb3e9c537a9c6b1010480e35c1938365c7a17bc4248bfaf10a5a8df88a66

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
98KB

MD5
5521a8b6e887a0e6dfcdc1a9d8226012

SHA1
76b99255344ac602a97799f0d8468c32b4a0bbb9

SHA256
5aab28610e9c2a6fab35e29e6b360ec8985c667ffaaa9b9d9bc4d21b5ed95003

SHA512
f816cf69123b84ac5bb958ac61a471d6b7e7a2f74a74ba6a824ecf866d65ace65e46b63afc96246d2e44c51893022e1c7349c27696c3d031189f8ac62a89f767

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
98KB

MD5
bc0c9561d71d776f1c171cc2d72641ef

SHA1
9985e9809aa9d1ef8b93c86df16bd23abaf200b5

SHA256
094a788804caa14ef785c4d66c4e9adc034ac5b8d793bd84447b68e924232268

SHA512
b200c0e4dbdf7899d16cf9ef08b5f02e72ff4e8314ebb8b0ce8eab196ad8b1fab730f9abde137a16a0b948258decb2a30d7e3d997a7291e74883bbce3334e272

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
98KB

MD5
76dbd8dda1cf06a2c995e42c6d542def

SHA1
02b31f270ae8a86addde64815a45e99873bb26d9

SHA256
e2c2c9aa0e4d99409a9bf24f55faeb053ae1d4a95228f46713b353a8aa1070e5

SHA512
e68676b688aaa99303624df9a0d249e32c6cfc2596adc4d5660eb0eaf546d92f251b32b618eb19399c0487ce1da2f1826665f816c5df78d2daa7e391cb16fa8c

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
98KB

MD5
a025e75d34f9e8ca4d1baf80cabcfd38

SHA1
471fe877a908115ea60255b425830ef3b32317d9

SHA256
92179e33c09c49ddd1ff1e2716f52cb762c978d18ba8e61bad511744385303b7

SHA512
de998a0913121a3039def373a426bc21e6b60144bfea62e7a9af52b2a64bea8751367bea01510da05e612204815653a4416025b9924fd1935831ee9cd632d78e

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
98KB

MD5
aa644b1035c8a69a640860daa5b723c5

SHA1
c7bca538e106e7bd402a8c3464093313e9267d3a

SHA256
2a0ed6dc23e223d8b82b95810452e9a1bc088dd0f2b0619c2760c9ed7efbc5f9

SHA512
ceef13f38b911cb532e1326659ff5c2d34759b50763c9914ed5288e87cecce0775edf0d2b104aec01f5941505032987130a237524fbf43a550f222e798d87174

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
98KB

MD5
20f576deff11cef15202580974b8646c

SHA1
90af527eb545670757af1083c3bb2a6e3fdf3491

SHA256
6cf0e33337b6ba64c129db19a070204f5fd97e02362d6e8bd453733e6ac25ee8

SHA512
dfcb7963f64bb160fe6adbec21aef135eecf2fd9a9e3b5f8f013ee89f60feba278de3dcf89dd833bdf9c0cd7e1d2f38391bbb9269cd18051a955ce48a22281f0

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
98KB

MD5
8feb951e18c90ccf17378d88fe2d283e

SHA1
b8504dedb61a18af3bf22c67e3dbaaa51e120982

SHA256
74720efb30c7a023a1fe7f04aa2ecec336168acf267018674ea94ace31167fdc

SHA512
1893d8336cedcbcd171a346c6f769b488dba4a4729050a4b1249ebaf5323cd50df7972fd347acce039e1c42f35a2349de10661be08c1185913bc1faa1891f930

Download Submit
C:\Windows\SysWOW64\Oecbjjic.dll

Filesize
7KB

MD5
9bbe2c6930e48ccb61c6bf0d8b7313ed

SHA1
3197e76505733205f1338080dfdf730f947f302d

SHA256
76163d0d19974c1ff18e8354d93078b5a52d85f0cf599febe26899410928d615

SHA512
c8998083bde5da479cca6ce71282a872e7d92f7b9f1c863d068a9d5b035c11906e1ac44b19ed56e19c72340379e782b6660d08bf545260fcce8f16cf73dd185e

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
98KB

MD5
dba7f2b63d54a8d3e380dcb811627ca2

SHA1
9b8d9098e2d64b46b8e456ed55d0efc7e851b100

SHA256
4b9cc3f8d69f67fe8b3a9b20d0c5cfd6575a965b23113cefcb0b987f69cc7645

SHA512
52a4c14c95327de697a2c6900960e387e1bfd8427a1ce15141969f7fb76cc92270fc78194a4ba527643596f4b7456bb52c411760670c6d11ec76c038875e8f99

Download Submit
\Windows\SysWOW64\Fioija32.exe

Filesize
98KB

MD5
b522dd0cdd43460cf08abe0497e77c8d

SHA1
601f8394aebb945926bdcfdac62d0afda3b21a20

SHA256
e16a05f39dccef2564025c8029875ed6ea4dbd7d8f54f8a8761a0c1604e47f15

SHA512
8162f78572d5928b666fe53deda819bcb7aa9d2b000324e223dd99bfb31f75b6406adbfb6da0c22e2f2d82262e2ed55b9cd58899a544ddb28fa5060e9be84760

Download Submit
\Windows\SysWOW64\Fmhheqje.exe

Filesize
98KB

MD5
710fc6dcf71a322d6cf0510b2a20872e

SHA1
54aafae1d086dee9a03e33722ac2de3ad82bab95

SHA256
a608e85990c590c8fab0cebfaa083bdb6d8a8850d7e534e30cebdd9a72ce2436

SHA512
b7c8398d0e10f059cb1a8eefbb99082b0de89552529a72b3e560950f9f2a41fcc35808b09eb036c4a30e3ccfc4c977249f7846294797686e0ccbef41bfbb975f

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
98KB

MD5
14b3a969bd8d795d33ae616835851e73

SHA1
77c69a0b03b800bbfe00dfd1335ef481306a5471

SHA256
93237801b064826fd117910c09a916e228e4d683e5a9b0d5c2fffbe44c0b63e4

SHA512
25f535dd3a7addecc1f480ba58e28118440c2039ecd212a20a6db4c6e4b5b68f7a0070880224f7d28776f5a9cb8bb25c435cecad7178137e18a6f56b8bc7d7d8

Download Submit
\Windows\SysWOW64\Gaemjbcg.exe

Filesize
98KB

MD5
4ff916d07fb24813b4150d147a61a6d1

SHA1
530865f8e1a449736b934756d20042c7b0058140

SHA256
bb55a5fbbe90dee4eaf8ce6fa64a459ae2a23a4139ba6f379ffc9defd5039297

SHA512
81b9fac0289c2fc3409b5e8a01f3d19ea600900ed27e8857d281ca4d2f1a7fe8c22780e495eb76040391e650e927e1faeb604a67b68caddc9daeaf61eb783631

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
98KB

MD5
7cd53dc1ddd3b43c02f1071b1652a324

SHA1
558d4bd5c38d88657585239d11035b8dd412e141

SHA256
c3dbff55c22323135f97a851d815360c1d2d210f1410b872c7e587a91b803675

SHA512
64501fd93a2d2c816286b9c13c280958ecd3d1a8bc5fe25b125ad8ce544accaee6358b5750631a5a708afcc32bd9b7a3e41dd848fda0293d7b193d7bda6debfa

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
98KB

MD5
492e8e6be0c2356ee036587f679a97d5

SHA1
df05ab5b399a4cc1fbb8c6b12d7f442358a1a32f

SHA256
5519a3c3e0ae10c7787305e7d459d776b0a0fc70c9dfa05f9b0061200db828a2

SHA512
fb47e9137ecd75915028b4e396fcef3e3a0be728b7ad819be95ad3f757814cf18cbbde1e6aa34fdd7771b77c24a5c6e25a2dce6332cf032f7e9ede351a555a02

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
98KB

MD5
66694db47ad33f7d79197ac181bf0720

SHA1
76f9d04647babd75839452c50c8d213c86938de7

SHA256
186b8c9b52071d61f7364dd2fa55bcf21e2f849a2a96e7a6534b31cb5935b09f

SHA512
61a11aea0ddd7d1d2760c873bb66fcf37205d7e39784346d1ea5e31f4713c98b95630304df276f523fba151c0b1ec40e0162e3be1d997b7ea70b698946e8eedb

Download Submit
\Windows\SysWOW64\Ggpimica.exe

Filesize
98KB

MD5
e336a6f6cca0df38e8c0ccc15069ca1f

SHA1
014beacc4e4c878ba92080c9e002114e80de90bb

SHA256
0ae14df0e3233bff828248c4f88e5f42e593b7ab8b183a4f6eac23491a7703a2

SHA512
bd23cece4d906cb432cec0c188dafaf2a32de2ab3df654044b74234ac6136ec61aa01bc52fedd9648b06121348a72dc633fcd4117beec97231711ad9b5a4f72d

Download Submit
\Windows\SysWOW64\Ghfbqn32.exe

Filesize
98KB

MD5
3302efb1df3045596c8b8d052577c5c4

SHA1
d2534e58dacba1bd496929a5c2de261a83289fe7

SHA256
01d9a288ac8692f6172ed990e7047efd0518ad1abe6daa1e5cd0698e46ddf23f

SHA512
c601d24f1d241df5a1554faed0b973ed33f8f24668eee26c97b87f62b2340ff3b99dfcd5a591d235e6e78e1efbc6da44d7d7d847fb1869ff82e1cce4c3af3bcb

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
98KB

MD5
b7c1e0de000f5248e46ce4c725fe27eb

SHA1
63fc39d5b67e22df5c1891a5786a0bdbae44f607

SHA256
62bb1e68f125e5260db98056903017612f425c9748ded56969bfe0081be0d5dd

SHA512
a1806077fbc370c9db34af4684130839100bda251dd2289d399ffa2b20b445d2edfacfa2c25e9623ee7062aecf15688c53758b064f7a2404a530555a99a9053e

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
98KB

MD5
2f22a04ff5293cf1d05725fc7907aaa3

SHA1
5118f1579a2f2f8d815288b31040dd5e05c235f1

SHA256
da0c82f4e8b9a6904ba8e57f88a4a711279a4f74460cbb92bce81ace0d0fa92b

SHA512
9bd38826c3d569092e375aa731bac8590dd691ab4059013d5371b840edd02132269047a73316fa5b4614fe0051bb51b9197b30eb04d6853a4dfd63532cdc7338

Download Submit
\Windows\SysWOW64\Hgbebiao.exe

Filesize
98KB

MD5
a29de6b0b665ee9ed167e49de52aa1cf

SHA1
dcc7445574a65b7bb7cbd1570766ba3a083755fa

SHA256
acdd76ec6aa97878a0023e622252f2ecabb38d18c17663c52b76343f16e993cd

SHA512
975686f7e3f97e80b8caf7ef2a3f1beea9dff5d222a15c9ee168b03936a6dcf99d5615cec741061fe60c52c8e002f1c4e69bb889e117ed43633ada7865f9eb0b

Download Submit
memory/828-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/828-243-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/828-244-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/828-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-309-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/920-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-308-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1188-299-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1188-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1188-295-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1188-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1540-331-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1540-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1540-330-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1540-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-27-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1584-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-134-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1888-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-148-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/1912-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-284-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2040-285-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2136-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2136-233-0x0000000001FC0000-0x0000000002003000-memory.dmp

Filesize
268KB

Download
memory/2136-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-12-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2236-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-11-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2236-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-364-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2312-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-363-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2312-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-267-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2332-265-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2392-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-254-0x0000000001FB0000-0x0000000001FF3000-memory.dmp

Filesize
268KB

Download
memory/2448-385-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-259-0x0000000001FB0000-0x0000000001FF3000-memory.dmp

Filesize
268KB

Download
memory/2460-289-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2460-287-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2460-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-107-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2536-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-89-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2556-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-54-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2644-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-353-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2736-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-352-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2780-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-315-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2876-320-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2936-342-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2936-341-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2936-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads