2ec4087b541275b888ee82218a65f6e05d9cc7f54edb573c2eb96f35ea53ac20

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 08:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Size

320KB
MD5

1e9b2bf52faa4a334e10dcb54f2d5fb0
SHA1

0fd9a0618bedd6257346405f486ae08ad380ae98
SHA256

2ec4087b541275b888ee82218a65f6e05d9cc7f54edb573c2eb96f35ea53ac20
SHA512

c3be6d34a600635fb2d1c1bdd32c4f35cd0d06c88fe47638a8aaa5232afbaba079ffd340e0d0cfdcf5cc47fd62eef91828e45e011c58421066b2a1892ef497fa
SSDEEP

6144:xX2epCscj/JvlaY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:xmcCsc9v3m05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe

Executes dropped EXE 20 IoCs

pid	Process
2888	Fhhcgj32.exe
2612	Fjilieka.exe
2808	Facdeo32.exe
2820	Fddmgjpo.exe
2836	Gonnhhln.exe
2532	Gpmjak32.exe
2164	Gangic32.exe
856	Gdopkn32.exe
2620	Gacpdbej.exe
2196	Gogangdc.exe
1876	Hiqbndpb.exe
1972	Hkpnhgge.exe
688	Hdhbam32.exe
2432	Hpocfncj.exe
1780	Hhjhkq32.exe
1872	Hodpgjha.exe
1796	Icbimi32.exe
3024	Idceea32.exe
1388	Ioijbj32.exe
1364	Iagfoe32.exe

Loads dropped DLL 44 IoCs

pid	Process
2020	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
2020	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
2888	Fhhcgj32.exe
2888	Fhhcgj32.exe
2612	Fjilieka.exe
2612	Fjilieka.exe
2808	Facdeo32.exe
2808	Facdeo32.exe
2820	Fddmgjpo.exe
2820	Fddmgjpo.exe
2836	Gonnhhln.exe
2836	Gonnhhln.exe
2532	Gpmjak32.exe
2532	Gpmjak32.exe
2164	Gangic32.exe
2164	Gangic32.exe
856	Gdopkn32.exe
856	Gdopkn32.exe
2620	Gacpdbej.exe
2620	Gacpdbej.exe
2196	Gogangdc.exe
2196	Gogangdc.exe
1876	Hiqbndpb.exe
1876	Hiqbndpb.exe
1972	Hkpnhgge.exe
1972	Hkpnhgge.exe
688	Hdhbam32.exe
688	Hdhbam32.exe
2432	Hpocfncj.exe
2432	Hpocfncj.exe
1780	Hhjhkq32.exe
1780	Hhjhkq32.exe
1872	Hodpgjha.exe
1872	Hodpgjha.exe
1796	Icbimi32.exe
1796	Icbimi32.exe
3024	Idceea32.exe
3024	Idceea32.exe
1388	Ioijbj32.exe
1388	Ioijbj32.exe
2212	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Fhhcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Fddmgjpo.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gangic32.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Fddmgjpo.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Mncnkh32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fjilieka.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Qlidlf32.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gangic32.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Facdeo32.exe	Fjilieka.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	1364	WerFault.exe	47

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjilieka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Gonnhhln.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2888	2020	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2888	2020	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2888	2020	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2888	2020	1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe	28
PID 2888 wrote to memory of 2612	2888	Fhhcgj32.exe	29
PID 2888 wrote to memory of 2612	2888	Fhhcgj32.exe	29
PID 2888 wrote to memory of 2612	2888	Fhhcgj32.exe	29
PID 2888 wrote to memory of 2612	2888	Fhhcgj32.exe	29
PID 2612 wrote to memory of 2808	2612	Fjilieka.exe	30
PID 2612 wrote to memory of 2808	2612	Fjilieka.exe	30
PID 2612 wrote to memory of 2808	2612	Fjilieka.exe	30
PID 2612 wrote to memory of 2808	2612	Fjilieka.exe	30
PID 2808 wrote to memory of 2820	2808	Facdeo32.exe	31
PID 2808 wrote to memory of 2820	2808	Facdeo32.exe	31
PID 2808 wrote to memory of 2820	2808	Facdeo32.exe	31
PID 2808 wrote to memory of 2820	2808	Facdeo32.exe	31
PID 2820 wrote to memory of 2836	2820	Fddmgjpo.exe	32
PID 2820 wrote to memory of 2836	2820	Fddmgjpo.exe	32
PID 2820 wrote to memory of 2836	2820	Fddmgjpo.exe	32
PID 2820 wrote to memory of 2836	2820	Fddmgjpo.exe	32
PID 2836 wrote to memory of 2532	2836	Gonnhhln.exe	33
PID 2836 wrote to memory of 2532	2836	Gonnhhln.exe	33
PID 2836 wrote to memory of 2532	2836	Gonnhhln.exe	33
PID 2836 wrote to memory of 2532	2836	Gonnhhln.exe	33
PID 2532 wrote to memory of 2164	2532	Gpmjak32.exe	34
PID 2532 wrote to memory of 2164	2532	Gpmjak32.exe	34
PID 2532 wrote to memory of 2164	2532	Gpmjak32.exe	34
PID 2532 wrote to memory of 2164	2532	Gpmjak32.exe	34
PID 2164 wrote to memory of 856	2164	Gangic32.exe	35
PID 2164 wrote to memory of 856	2164	Gangic32.exe	35
PID 2164 wrote to memory of 856	2164	Gangic32.exe	35
PID 2164 wrote to memory of 856	2164	Gangic32.exe	35
PID 856 wrote to memory of 2620	856	Gdopkn32.exe	36
PID 856 wrote to memory of 2620	856	Gdopkn32.exe	36
PID 856 wrote to memory of 2620	856	Gdopkn32.exe	36
PID 856 wrote to memory of 2620	856	Gdopkn32.exe	36
PID 2620 wrote to memory of 2196	2620	Gacpdbej.exe	37
PID 2620 wrote to memory of 2196	2620	Gacpdbej.exe	37
PID 2620 wrote to memory of 2196	2620	Gacpdbej.exe	37
PID 2620 wrote to memory of 2196	2620	Gacpdbej.exe	37
PID 2196 wrote to memory of 1876	2196	Gogangdc.exe	38
PID 2196 wrote to memory of 1876	2196	Gogangdc.exe	38
PID 2196 wrote to memory of 1876	2196	Gogangdc.exe	38
PID 2196 wrote to memory of 1876	2196	Gogangdc.exe	38
PID 1876 wrote to memory of 1972	1876	Hiqbndpb.exe	39
PID 1876 wrote to memory of 1972	1876	Hiqbndpb.exe	39
PID 1876 wrote to memory of 1972	1876	Hiqbndpb.exe	39
PID 1876 wrote to memory of 1972	1876	Hiqbndpb.exe	39
PID 1972 wrote to memory of 688	1972	Hkpnhgge.exe	40
PID 1972 wrote to memory of 688	1972	Hkpnhgge.exe	40
PID 1972 wrote to memory of 688	1972	Hkpnhgge.exe	40
PID 1972 wrote to memory of 688	1972	Hkpnhgge.exe	40
PID 688 wrote to memory of 2432	688	Hdhbam32.exe	41
PID 688 wrote to memory of 2432	688	Hdhbam32.exe	41
PID 688 wrote to memory of 2432	688	Hdhbam32.exe	41
PID 688 wrote to memory of 2432	688	Hdhbam32.exe	41
PID 2432 wrote to memory of 1780	2432	Hpocfncj.exe	42
PID 2432 wrote to memory of 1780	2432	Hpocfncj.exe	42
PID 2432 wrote to memory of 1780	2432	Hpocfncj.exe	42
PID 2432 wrote to memory of 1780	2432	Hpocfncj.exe	42
PID 1780 wrote to memory of 1872	1780	Hhjhkq32.exe	43
PID 1780 wrote to memory of 1872	1780	Hhjhkq32.exe	43
PID 1780 wrote to memory of 1872	1780	Hhjhkq32.exe	43
PID 1780 wrote to memory of 1872	1780	Hhjhkq32.exe	43

C:\Users\Admin\AppData\Local\Temp\1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e9b2bf52faa4a334e10dcb54f2d5fb0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\Fhhcgj32.exe
  C:\Windows\system32\Fhhcgj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Fjilieka.exe
    C:\Windows\system32\Fjilieka.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Facdeo32.exe
      C:\Windows\system32\Facdeo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        21⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gangic32.exe

Filesize
320KB

MD5
023016d2c8f68fb35a09f705a07c316f

SHA1
7dfa7ab16f8e63c55346841223542c05767fe37f

SHA256
77de0661daa72e65d51e90d41366854daac537c002492d3e49141c06897ec90d

SHA512
6626aacfc50cd2c52b618543cb825e881a9bbe5c31ae0442ff4871ab2cf41e3e86a81bf0ab2420b759d419232fd679342874046b695873d66c87561560ef64e1

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
320KB

MD5
12cb0c89287de7bce836f2942e2a8c46

SHA1
4df5ab0581d1fff125a8304907e5b605425ec4bd

SHA256
efa1a58e794ff265ce130171c0e5d6f2bb55512707c36f6dba18d07782212134

SHA512
68089ce90298822a62d32ac0c9df13dcf7aacfb673b56dc7303529e2a9d95118b5594830eabf76768cd55d36ea982d44a7bccc2888c97ab19612fa340d5edf37

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
320KB

MD5
e5216782ff86bb02774a01def17a0d80

SHA1
c4bd0d78ff97876fbf422649996e0e8488438423

SHA256
69e32f9610f43f2e50768d08fa1a6756174a54039aa4af8395ea5aa06c7a9855

SHA512
c9ddf9c90c8c3a141f6e3c9a5bc293384bfc534257d7b601d093e3f6bfddbc0af6a823189d6b14d51057a4f5817976846356242ede6d5b4358f3f737caee9242

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
320KB

MD5
6f622b74554d729a195b449a9321d25e

SHA1
d4bd1e8051dd2a73f1499f328513584e1ca1f2a7

SHA256
60529cdfbaa8dbd2fe9c1e2bdc9edcdb97acebbb3fc82739953be7c0afa0ef91

SHA512
1bbe73eddedbe420564cf41e518c246b8c0c57335f4be3908db69ec6053e7a4ecf23c23c2ab09df27c96b1b714b92fc0b67ee224cadbb9123abb9ef7132c7823

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
320KB

MD5
44b0cce170103219b0a3537937c9e125

SHA1
969bd5b09f5330ab7b7f2144b428f47878900a89

SHA256
1f454c52bc5eb1134fb9e4decb1df050fff8f2f201af78f08eb89d937ca799cd

SHA512
10cb917554448f4afcf4448f3149439a0e5d6906dad7afba1a4a0e380176546822ac4fbfed5d75a6e73a91f0abb6fd1654596ee303a6164e8220ccb78e7cf577

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
320KB

MD5
1c692b7fa07481040a573b0669d68e93

SHA1
ef2970ed4d8574bdd0b5d29cfb389a6c710ec18b

SHA256
76f3fa7c3dfcce0bdc9f35b8c3fe023f58bf1cbfc216ab7fc34b3e3fb27da55a

SHA512
e9a3268e2b2c097ebf93cef30752e74f9327c3c69f8f81527a74138cbdd719d55959adaec37ca0c13f4125f69ce7cd760b65cb9d964ddf4325749e2aa17da898

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
320KB

MD5
7504c6a175e54c5c937f7eaa000566d4

SHA1
0fad1d86f6af62294083bab2455bf5c1d69671fe

SHA256
2a6023012038d95d26c6dfed13d5ae32c3231c225d6a50e0f55c748f6a36f146

SHA512
934198b0f8a58bf0fa1691db9e10620c86907ad185600fe8596887b9ff25d2ea2cdb68896c8e5d5d8be54d018d8be634b72354bf7f6c08bcbc425c1810379df1

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
320KB

MD5
530e90b575a34d1c8b80f479e53162de

SHA1
bd8fa2da41a816020d52cb776fb012ceaecdaba9

SHA256
f1273a212b99a1a19284079de8b869e0338d6a9b518962ece57da0a68a9ffdc8

SHA512
b29b278d5000378f2305c4dd905e961ed727eeccd485db9da9329834d93fdac78c45d4775c01ff30ccabbd33434bf2bd72112530746122c52873d3a4f0fa62f1

Download Submit
\Windows\SysWOW64\Fddmgjpo.exe

Filesize
320KB

MD5
4d8e4356b2aee786694007e66d21645e

SHA1
14e973d35411dd70ce4995dc14bb81a70e0b5734

SHA256
322cf148a8abab732b43cdeeada462bd666b1458f34e31e7e09ae65443579f5c

SHA512
3ff2a3bae0148b2c1a8a463e77fcfbeba2c9253e20b2e99074ee82cf6cc444f9ab57c0a198e2d1da340d357d7829f96909d52b6123c2f9c281362b36a69a46d7

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
320KB

MD5
84b92f5569f2e8c51c2fa91d30e811ec

SHA1
6ab720d63ba562aa3fb8b752a51e4ba7e028e7d5

SHA256
ec3cefccaab24971d4598df3d05161fc595140eda5f446eff4dd5cfa1a75bc83

SHA512
3967404344562f2196a191e961075c78b0d3cf5384be2a405b88b3f930cecdccd8836ff467809b6093fec44273a5fb7e91503098047c5623a09a824bcce0e5af

Download Submit
\Windows\SysWOW64\Fjilieka.exe

Filesize
320KB

MD5
109f4188f92409b9d5f1dfeab8d0ff6d

SHA1
b14fe1be1c5ab27e5d5078a80490163087969c13

SHA256
702bd96a0dd59eea49d1fedca6fbc616ce9dc0f7ba95fc7cdc677e6764cbdf17

SHA512
b5c3ebee1668c2ca3479e0789793cd0bde105185d95c1f08cdebe05ddf7a6754f3edb72428d9e3f90f172502340249d501fc816075d4ef4df83adee6eedb7865

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
320KB

MD5
1772f562f1dfe09948d0230cf1f6e2f4

SHA1
126857e4d6e0c248067655cfcfa5389a5e777696

SHA256
d8e000aba72e39dc2e6268b705c210a16737f0a48089ac973c2183b650b2480b

SHA512
4f6cfe1237862b165b371e1ac0384f9a43bd5bb1c092870c1dc15fc4de1a653bc6d07472c20e950e123794481e3aca5cbdb057dedaea97254568cc9d31fc70f3

Download Submit
\Windows\SysWOW64\Gdopkn32.exe

Filesize
320KB

MD5
43a26c62fc5f1fde7422f63577a5c4c5

SHA1
a35f9b09cc169f0577caecceb0539001c08b4db9

SHA256
7bac30c5d0ab95de839a2a3e6a4d9ef525925a62db895f18ec6f224320c1f4ac

SHA512
99edf0421047bebcee92a008a3236cd3afd3a867bb1754dc029be6d50ad546371325f95f2a564f72c34e0507a2aceb302d8123fd2ea25f938052995c9c54bf9f

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
320KB

MD5
235c78bfd64dfcc2dfc7ee023c905468

SHA1
1c7a37bee8bdb0c3b405ea3084f03a1e014b898f

SHA256
884eff74c7a34759eac8628d72c9acdb2185f9f4f08cbea7dda94a3266526973

SHA512
c4a03aed223ebbdfe3d3e431832a09e836205a2fded7a2bc84225ddb976cdf7511a842c9c67398385ac7a785e5a7c1ca32e3deb598487d399c80ce7f2c075353

Download Submit
\Windows\SysWOW64\Gpmjak32.exe

Filesize
320KB

MD5
122bf33e4b660e0319c60e452161dca0

SHA1
66a73aebd654b5fb454efab435fb727de4a6bb3d

SHA256
88129c0a615a599a41cda3b3b29e252d150664c9627fcc032d1fd89ed3b72b6b

SHA512
c7c66745cf3bdad86789b071e09ae6eaafbddbf79f20098dee8f16c77bc7a45a11491ee5a4347d0fcd373d303fa77aaa6e5da26672349aa414757ff593036b3b

Download Submit
\Windows\SysWOW64\Hhjhkq32.exe

Filesize
320KB

MD5
a46aa51a2ee741d1a62b03aeb197e52a

SHA1
eaaf2060e19bdf43096d3c587fbb64afadc88557

SHA256
177a506742e30119c507a349e0458c697788213b198769bff7331391c1c78fb9

SHA512
97915c0aa753f37a1487dc3d438b39ddbd3d2db6e442a0b4f8af573db0813b2469c597d2bf9e050fa8ec841e273a1f28983df6f90eb24edbd901af41280a2f18

Download Submit
\Windows\SysWOW64\Hiqbndpb.exe

Filesize
320KB

MD5
7bb6100ce256ddb4c1b1c075ef31fd62

SHA1
4863d820ee6c2c59666d6b8026eac702ee12e61e

SHA256
0f5da445392ba42d4a129a774efe0769df15113c557b659966d12b86975fc980

SHA512
fa22169992fb2074c5cff9781c15b7533b1b9b53e87aa074101edf911ba679f11412b7fb8fb91909719e31c9048f47b6ceafada0c8d94de879f3780547721a3a

Download Submit
\Windows\SysWOW64\Hkpnhgge.exe

Filesize
320KB

MD5
77dfdaec41448781be4ca242684b7328

SHA1
19743134eb1111dae49201a8c805312a46342dba

SHA256
cf4cb1e446e706bb4aca148ec74b68c2d0fa0158749aa89c3cbb87e9b4df61e8

SHA512
870dac8f5aedbb638be016a6cd513247e245a8c85b9b5a341c58596aea9cdcc7dbbeb19790a3d0199d02f9403e1f5fe57ee16c31c3cde8892d77e3e0097b4263

Download Submit
\Windows\SysWOW64\Hodpgjha.exe

Filesize
320KB

MD5
bd19fb2f530d0210835777a23fc07e2d

SHA1
23586fd4da2c63a860f043a9c32143abacf592e8

SHA256
55a5a1c53916759017e6a8e2386b9c6445d3d54576e426e5a398d85dc71d4975

SHA512
f6bdd6230d49faaf5c961fd9fbb6ba443679e41a19baad42d276a55de7cdfadbeec825566aa1b8fda89bdbfbd5b3fb7a847008d3c2da62e1efe7259b1fa8683f

Download Submit
\Windows\SysWOW64\Hpocfncj.exe

Filesize
320KB

MD5
7e8b42b23efdbf5d661977f01282b6a8

SHA1
f6159273cd05479555f0d69eb352e1f0ce2ec15a

SHA256
826cc7f013a1da0426be5e6da9227e7a342d1e53e84de6db5e263b364fc4c208

SHA512
ed940c109566b4f4164f357e1c9b601ba8e25fadf61f06161d0b093cffaff1eb75ddfbcf5574d8c30ff7d2444b925894c95dea918fa6339273cb3dff2028646b

Download Submit
memory/688-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/688-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/688-190-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/856-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-122-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1364-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-255-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1388-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-215-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1780-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-229-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1872-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-158-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1876-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-178-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1972-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-6-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2020-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-103-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2196-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-149-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2196-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-135-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2620-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-52-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2808-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-67-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2836-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-85-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2888-25-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2888-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-26-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/3024-251-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3024-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads