2bad3eb8ed9496e993d1cea5c20ed5b9a3741019d1c7031ad0844bd60d5e0b38

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Size

592KB
MD5

c257118e142e4672c3ac6172c4983b50
SHA1

b62d6501eacaefd7a8dd3d4ea7e95e3f63ff6357
SHA256

2bad3eb8ed9496e993d1cea5c20ed5b9a3741019d1c7031ad0844bd60d5e0b38
SHA512

baea2d0a67693adf7645daab858a5d9af2f4deb0a9e27e4bd013ec01fefa450799548db7cf5b2054a36c8260460b3e4d6ae69eea93563bd703a9acab906488d1
SSDEEP

12288:gDBqMfhrsuLIpIwAxWDFQIwAxWnsuLIKWc3KGIwAxWnsuLIpIwAF:gDBBJr9mxxaxxn9lv3KGxxn9mxW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkece32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eilpeooq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe

Executes dropped EXE 19 IoCs

pid	Process
1716	Dnlidb32.exe
2152	Doobajme.exe
2720	Ejgcdb32.exe
2868	Eilpeooq.exe
2168	Enkece32.exe
2508	Ebinic32.exe
2952	Fhhcgj32.exe
1820	Ffnphf32.exe
2692	Flmefm32.exe
1868	Gonnhhln.exe
2404	Gicbeald.exe
492	Gbnccfpb.exe
1292	Gphmeo32.exe
1912	Hiqbndpb.exe
1500	Hejoiedd.exe
1612	Hlcgeo32.exe
1836	Iaeiieeb.exe
1132	Ihoafpmp.exe
832	Iagfoe32.exe

Loads dropped DLL 42 IoCs

pid	Process
2932	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
2932	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
1716	Dnlidb32.exe
1716	Dnlidb32.exe
2152	Doobajme.exe
2152	Doobajme.exe
2720	Ejgcdb32.exe
2720	Ejgcdb32.exe
2868	Eilpeooq.exe
2868	Eilpeooq.exe
2168	Enkece32.exe
2168	Enkece32.exe
2508	Ebinic32.exe
2508	Ebinic32.exe
2952	Fhhcgj32.exe
2952	Fhhcgj32.exe
1820	Ffnphf32.exe
1820	Ffnphf32.exe
2692	Flmefm32.exe
2692	Flmefm32.exe
1868	Gonnhhln.exe
1868	Gonnhhln.exe
2404	Gicbeald.exe
2404	Gicbeald.exe
492	Gbnccfpb.exe
492	Gbnccfpb.exe
1292	Gphmeo32.exe
1292	Gphmeo32.exe
1912	Hiqbndpb.exe
1912	Hiqbndpb.exe
1500	Hejoiedd.exe
1500	Hejoiedd.exe
1612	Hlcgeo32.exe
1612	Hlcgeo32.exe
1836	Iaeiieeb.exe
1836	Iaeiieeb.exe
1132	Ihoafpmp.exe
1132	Ihoafpmp.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ejgcdb32.exe	Doobajme.exe
File created	C:\Windows\SysWOW64\Dnoillim.dll	Ejgcdb32.exe
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	Ebinic32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Dnlidb32.exe	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Enkece32.exe	Eilpeooq.exe
File created	C:\Windows\SysWOW64\Pinfim32.dll	Enkece32.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Njqaac32.dll	Doobajme.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Cillgpen.dll	Dnlidb32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	Ebinic32.exe
File opened for modification	C:\Windows\SysWOW64\Ebinic32.exe	Enkece32.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Doobajme.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Doobajme.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Ejgcdb32.exe	Doobajme.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Eilpeooq.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Ebinic32.exe	Enkece32.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Lbidmekh.dll	Eilpeooq.exe
File created	C:\Windows\SysWOW64\Enkece32.exe	Eilpeooq.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Hecjkifm.dll	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Eilpeooq.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Dnlidb32.exe	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1532	832	WerFault.exe	46

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll"	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll"	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eilpeooq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll"	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkece32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doobajme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1716	2932	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 1716	2932	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 1716	2932	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 1716	2932	c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 2152	1716	Dnlidb32.exe	29
PID 1716 wrote to memory of 2152	1716	Dnlidb32.exe	29
PID 1716 wrote to memory of 2152	1716	Dnlidb32.exe	29
PID 1716 wrote to memory of 2152	1716	Dnlidb32.exe	29
PID 2152 wrote to memory of 2720	2152	Doobajme.exe	30
PID 2152 wrote to memory of 2720	2152	Doobajme.exe	30
PID 2152 wrote to memory of 2720	2152	Doobajme.exe	30
PID 2152 wrote to memory of 2720	2152	Doobajme.exe	30
PID 2720 wrote to memory of 2868	2720	Ejgcdb32.exe	31
PID 2720 wrote to memory of 2868	2720	Ejgcdb32.exe	31
PID 2720 wrote to memory of 2868	2720	Ejgcdb32.exe	31
PID 2720 wrote to memory of 2868	2720	Ejgcdb32.exe	31
PID 2868 wrote to memory of 2168	2868	Eilpeooq.exe	32
PID 2868 wrote to memory of 2168	2868	Eilpeooq.exe	32
PID 2868 wrote to memory of 2168	2868	Eilpeooq.exe	32
PID 2868 wrote to memory of 2168	2868	Eilpeooq.exe	32
PID 2168 wrote to memory of 2508	2168	Enkece32.exe	33
PID 2168 wrote to memory of 2508	2168	Enkece32.exe	33
PID 2168 wrote to memory of 2508	2168	Enkece32.exe	33
PID 2168 wrote to memory of 2508	2168	Enkece32.exe	33
PID 2508 wrote to memory of 2952	2508	Ebinic32.exe	34
PID 2508 wrote to memory of 2952	2508	Ebinic32.exe	34
PID 2508 wrote to memory of 2952	2508	Ebinic32.exe	34
PID 2508 wrote to memory of 2952	2508	Ebinic32.exe	34
PID 2952 wrote to memory of 1820	2952	Fhhcgj32.exe	35
PID 2952 wrote to memory of 1820	2952	Fhhcgj32.exe	35
PID 2952 wrote to memory of 1820	2952	Fhhcgj32.exe	35
PID 2952 wrote to memory of 1820	2952	Fhhcgj32.exe	35
PID 1820 wrote to memory of 2692	1820	Ffnphf32.exe	36
PID 1820 wrote to memory of 2692	1820	Ffnphf32.exe	36
PID 1820 wrote to memory of 2692	1820	Ffnphf32.exe	36
PID 1820 wrote to memory of 2692	1820	Ffnphf32.exe	36
PID 2692 wrote to memory of 1868	2692	Flmefm32.exe	37
PID 2692 wrote to memory of 1868	2692	Flmefm32.exe	37
PID 2692 wrote to memory of 1868	2692	Flmefm32.exe	37
PID 2692 wrote to memory of 1868	2692	Flmefm32.exe	37
PID 1868 wrote to memory of 2404	1868	Gonnhhln.exe	38
PID 1868 wrote to memory of 2404	1868	Gonnhhln.exe	38
PID 1868 wrote to memory of 2404	1868	Gonnhhln.exe	38
PID 1868 wrote to memory of 2404	1868	Gonnhhln.exe	38
PID 2404 wrote to memory of 492	2404	Gicbeald.exe	39
PID 2404 wrote to memory of 492	2404	Gicbeald.exe	39
PID 2404 wrote to memory of 492	2404	Gicbeald.exe	39
PID 2404 wrote to memory of 492	2404	Gicbeald.exe	39
PID 492 wrote to memory of 1292	492	Gbnccfpb.exe	40
PID 492 wrote to memory of 1292	492	Gbnccfpb.exe	40
PID 492 wrote to memory of 1292	492	Gbnccfpb.exe	40
PID 492 wrote to memory of 1292	492	Gbnccfpb.exe	40
PID 1292 wrote to memory of 1912	1292	Gphmeo32.exe	41
PID 1292 wrote to memory of 1912	1292	Gphmeo32.exe	41
PID 1292 wrote to memory of 1912	1292	Gphmeo32.exe	41
PID 1292 wrote to memory of 1912	1292	Gphmeo32.exe	41
PID 1912 wrote to memory of 1500	1912	Hiqbndpb.exe	42
PID 1912 wrote to memory of 1500	1912	Hiqbndpb.exe	42
PID 1912 wrote to memory of 1500	1912	Hiqbndpb.exe	42
PID 1912 wrote to memory of 1500	1912	Hiqbndpb.exe	42
PID 1500 wrote to memory of 1612	1500	Hejoiedd.exe	43
PID 1500 wrote to memory of 1612	1500	Hejoiedd.exe	43
PID 1500 wrote to memory of 1612	1500	Hejoiedd.exe	43
PID 1500 wrote to memory of 1612	1500	Hejoiedd.exe	43

C:\Users\Admin\AppData\Local\Temp\c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c257118e142e4672c3ac6172c4983b50_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Dnlidb32.exe
  C:\Windows\system32\Dnlidb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\Doobajme.exe
    C:\Windows\system32\Doobajme.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\Ejgcdb32.exe
      C:\Windows\system32\Ejgcdb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Eilpeooq.exe
        
        C:\Windows\system32\Eilpeooq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Enkece32.exe
        
        C:\Windows\system32\Enkece32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ebinic32.exe
        
        C:\Windows\system32\Ebinic32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Fhhcgj32.exe
        
        C:\Windows\system32\Fhhcgj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        20⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Doobajme.exe

Filesize
592KB

MD5
c8efccbcbe0c79fe222af58742b463b2

SHA1
3b5f90de164ac9bc499c0f280bb716af738d4480

SHA256
33124c19f82fc86cbdbea716e3d00456de1c2225cecd079e5760f24c0fcdd48d

SHA512
2d078891383598d5bff9ccc339bf9e773a58cbe5584bb88e6c3769a4bfee845d20528ac812ec0284810c8a87ba43dceaf5fd405f1050fe49d77493cc92a21a22

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
592KB

MD5
441bd4fc1d56ac29ea076c57e50b5b57

SHA1
4d31b36d7331724cc4b3a493afafa08d540e0a9c

SHA256
a29aa1392af04eecb29a073be0ce6edf4f4e17245a72a872d44fecc8ca13ffe2

SHA512
2fc30474f558776cda9f8c13972e9545f22289d1a1232f1088d4165ce5a9b9df696ee576c60344cee93b00fffdc2609e7bf873105e0d90d063e555ee0f7edcfd

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
592KB

MD5
a1d60de972a0e4c897d2e7c3bfd5a060

SHA1
8aff9a52425118496a6156a5bd5a554de6ae316f

SHA256
d0baf94699a9f3fd26cae2acb1d9735e334d7eea576a0f8462d130d69a61024f

SHA512
2266a8d94226adaafb43f94fa02d13bc4d94fb60c3717cd384807cc41d42488f1c13e57242b884101bdf03bb06a027ede4f4760b1558ea6d1315533ac5e07676

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
592KB

MD5
e64ea7cd079981bd7e11e4771fadfd33

SHA1
7f58692f97871a24302c8df8172650b572d6f9ff

SHA256
2e9cce9ad9ef78c8c4451fd6e17ddca62aae4fb5abdf4d627bdd305f2a6c9426

SHA512
4e407820e39bd717a29fbf38c45ce0fd8c6d16872c41dc871b35c7d5eab67e2314919c0d340f278c95744f73bfcd49954cc050845b7124ec396be2b4dbe23c09

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
592KB

MD5
a09f14203e679d55c102ce9e9e90d9c5

SHA1
8d5f1b7647ede1fb8f8c331bbf034c4a1c3c0337

SHA256
fce409a962ce398aaf5bb541e90d1f52699c1a1a4a0e78ab34e899faa7836750

SHA512
301aeff708c572a178f09a65e5f3fc5bf5d70c128c291e086c6ff9bcb1dd8cd340ae7cd6125d029cfcce047f8e4f9c7fc6735de1e75146ea359258d27ed42287

Download Submit
\Windows\SysWOW64\Dnlidb32.exe

Filesize
592KB

MD5
01c24ea694379c0ebd0d72667ca20f03

SHA1
7a0cc3c4e8f61e609cd0a6543d19aa9e32dc7c4c

SHA256
4db3c66d8fcb328adf3be24bf1e15a891ac3da3522b36e409889a997407d5a5e

SHA512
a788f797b8fc099607b6975cf62657bc5f292598601e92941f74831b680adb7a3ab7c71ecb0a21e6cca5002da382ae32f532438757312b68078ce1f446c648d4

Download Submit
\Windows\SysWOW64\Ebinic32.exe

Filesize
592KB

MD5
8c78a22307627cf4e292a6b44d6f6809

SHA1
023f2fbaf9bef6eb05f28e16248a8859974d3a1f

SHA256
129e9648723de64191c803e015861f9b2938f9b9d8edc418da88465c28d74aab

SHA512
caa119bd161f4e668972fdc24c85abc499f53cab863be35a57c029b0f0224aed87ae66e60a597bd0ab63d95a4da457dfb7272481d8dbdc300c27c306c15ae9a8

Download Submit
\Windows\SysWOW64\Eilpeooq.exe

Filesize
592KB

MD5
bbba802268bdced14565beca40da7fa9

SHA1
0f431d697bcb7262ba5c65b47b7183b4f685e348

SHA256
f519ada3a616d7b5bb96a99562aa6cc7e43cfc39a188d28803ec418566b042a4

SHA512
97d5e0a548ee36b86c3c76514bbe6b954cc6e356774cc897378ca9c982e12b1b806b21d9a4aaed35fc4709aacc0c80df0c994243392275129034faaa1993f57c

Download Submit
\Windows\SysWOW64\Ejgcdb32.exe

Filesize
592KB

MD5
8ea5ff289d17b2c5fae94c8d7c36d194

SHA1
f0d0b806c0ce0a4decbb5029d701a64ef9ea03c3

SHA256
32b556720bd060aac5bc3ea0aafa4daec5b0ef59f12898a34821b92c7ec53a5e

SHA512
6ae2f0acc788452d9cf90abdbc777b633c6701632359681866722a7cd1fa90643f9bb929f76d638c5f716e7ac7a00e5293523aee04af464c985bdfdb032d3b6a

Download Submit
\Windows\SysWOW64\Enkece32.exe

Filesize
592KB

MD5
66713b3f973b6e692a22dca38de296c0

SHA1
02e740622d3203cb917d05168d6791f1b86a2238

SHA256
ef8adc3704f5c7448cfeef1df87566895c68eb1663cf08a0ff0cddc549ce4bad

SHA512
250f95e06af0e7c6f855b5f3e43df83419f043a73b822bf53be27b4a6401ae9c96d76cbf5e8f9a12c0dbdfa7b25285179b76b6045bf0d5764a628eb33d7fcb40

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
592KB

MD5
d6448f75b15508e485f57444ec91df46

SHA1
d93c4a07f088f8c4df1553140c819f6952df6189

SHA256
d09c5bfb7ceac8f0cc9951e5a10ce69581f613cfe4c0738cf22469ba27afc957

SHA512
ea987fb937942fca62ce18cf91af0421608d005e62b246ad2f3ef845af0d51d3cd04ca6c91e49a755ba66b35f858d075b5dcf3855cf8101c30f2d4dd15adfdda

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
592KB

MD5
6f8d7a0c3fc2f6fa5755d510e189c820

SHA1
4d8df15030767572a1bbaf6e2e84f3ac90351b5b

SHA256
fb8eda405993fbe55fc6461afdc6b960bcecd9bb5e4e4ec0601b4b8763bc7665

SHA512
9f1c921d4ac1be8579e8044de21f125bdd43a55202a136c74979ab5b78de56b833118a2f2930844540ca200f69fef84500c320fb6b913a4c01f2addba8f65a39

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
592KB

MD5
21e5e1356f3604bd01420c6b3514da9c

SHA1
17966d2dbd5c573ba02a8ee9bb48119c9276d29d

SHA256
bde8f09cd778ba22c40fc2a7cc6602220dff17d5bb2de91c75e43b5c3da22e7a

SHA512
58db2542acd3eb0e5ec1bb907e1874410689173d25018601b3a372f4c57b51c8c54a09b99386bb7c0d23621e240f17549b3b6d72853e2cc1e4ba640c341150c3

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
592KB

MD5
034f0c39ab4b42cb7ad5f8609ea415b9

SHA1
44cae53b591c1b9750faaf5be07d25d9a7cabd63

SHA256
863e139b360ca339358e75f85472efdb39865ae4cf8f0361ab723ce32ab6d190

SHA512
644e75e45b119764b4b0ab99490662ad005cf0bd84ca99c6bba1392dc1da0cb6d55f29a4cda55085f2afb8f03c41e21150e16749e9aecbd97729247ca0dc35f4

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
592KB

MD5
eb032c3ba1b9460e2c56e76c4ed14943

SHA1
53a93c34ae3814828ea158c85c7e9de8474d61cc

SHA256
8009974e319ede607ea9df347331752d6306faf582bd268378d78613fe83cbaf

SHA512
2bc2aeb38c2009eb0e9d0220ff6932037945a130f713af12ef2fbfd0b0196d4a004361f26ecce9c1bf97e1c74c2d12ae5ac936eaa53cdf0deedc7ccdd5a02a5b

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
592KB

MD5
2661555f7b1713f6a713f7697320a303

SHA1
546ec3ccc425a1363cb3a190f875a4ecb52edb9e

SHA256
eff995e4095c62a39e5fabafe81e359e04af244b8423707fe18ff48b44cc97f2

SHA512
6445e59582460f7c168995faed30c8a5c1c7d44f6f3f680b48d609f7d2e5fa3518f92556270b398f1ddecc699c81290bf52fc3fe2cf94c7a64fc1483a258dfa1

Download Submit
\Windows\SysWOW64\Gphmeo32.exe

Filesize
592KB

MD5
b4e30db5c7391e20557a77c50cc74d90

SHA1
1c706b2cf981a460966ef1559f74edf77b8036d5

SHA256
15634d373905633be0f56f74f96a6a44d3a9057a3673ebce4c5b2e0b6b8055c1

SHA512
8f3dfc3945823edc9d37663b0b3f6361e55767995f2039a799a16b527a951511727018bf44c340eadfe7045cd68dbb524a4fc577e100fee460708b3142e98ab2

Download Submit
\Windows\SysWOW64\Hejoiedd.exe

Filesize
592KB

MD5
2f7dd441f65241e8addadbb97d6cde90

SHA1
feba2460401a681e3ac27a2f209dfd8128f8d3e2

SHA256
f9523d9895aca910a4dd087336503c16793c0044dd45ba040831f5651e195bcc

SHA512
d54e867e24ff2003852203c976548d92a3971796787efd35a1651ed17c3d8c03c40d5ade2b784ac9c0e7e9b2dfb64ef3fa4e4a054b976eaa17ac1f5069f239b9

Download Submit
\Windows\SysWOW64\Hlcgeo32.exe

Filesize
592KB

MD5
8ac2884a28bf0c264f3f6b8c941d6848

SHA1
e0c2660ba8afa34a3ffef0e5a4ffd70fa0a3e03a

SHA256
bde5bbe65a87ec48abf3b6005d5b492416449a0741864f0f4e33ed97a0c9fda2

SHA512
f5eb1f8c4e9313e037a5629a93f275207f8d843eb1746410d2fb0d62c0fffe034fd2a301e32eec10676645e4e6b9679766dc5016f0afc1c72b48df773ce905c7

Download Submit
memory/492-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/492-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/492-173-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/832-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-250-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1132-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-220-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1500-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-27-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1716-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1716-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-117-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1836-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-150-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1912-207-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/1912-211-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/1912-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-36-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2152-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-77-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2404-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-160-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2404-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-90-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2692-137-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2692-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-55-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2720-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-64-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2932-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-13-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2932-6-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2952-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-104-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads