56e23b5e8f0e244acc59f18ba3839dbd8fc6038cdb38ebf0464be1a2e7c95049

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Size

192KB
MD5

3a80175b5afaf65ce8d2a45c55f60c70
SHA1

3fce7c3c46072a501d4ce36dc8308e5e0ebbc850
SHA256

56e23b5e8f0e244acc59f18ba3839dbd8fc6038cdb38ebf0464be1a2e7c95049
SHA512

f255412e4ae2bf0d0a840ac66aa4374fab86557d84c5a40f3ecf7df30eabe95a68945ea5d3f4ca0dd03360ac0628b681c602922234a6ac890599436df5aa08dd
SSDEEP

3072:kTJ8o32xVKf2e9Rn+u3CaSeA3kremwc/gHq/Wp+YmKfxgQdxvzSTsXXoT2z:kTJ8o3Gsf2e9RnpXA3/fc/UmKyIxLDXr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe

Executes dropped EXE 19 IoCs

pid	Process
2196	Flmefm32.exe
2260	Ffbicfoc.exe
2592	Gpknlk32.exe
2716	Glaoalkh.exe
2704	Gopkmhjk.exe
2500	Gldkfl32.exe
1984	Ghkllmoi.exe
2884	Gacpdbej.exe
3048	Ggpimica.exe
1660	Gmjaic32.exe
1432	Gphmeo32.exe
3052	Hicodd32.exe
988	Hejoiedd.exe
1392	Hellne32.exe
2432	Hhjhkq32.exe
1496	Hlhaqogk.exe
1704	Iaeiieeb.exe
1132	Iknnbklc.exe
1896	Iagfoe32.exe

Loads dropped DLL 42 IoCs

pid	Process
1996	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
1996	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
2196	Flmefm32.exe
2196	Flmefm32.exe
2260	Ffbicfoc.exe
2260	Ffbicfoc.exe
2592	Gpknlk32.exe
2592	Gpknlk32.exe
2716	Glaoalkh.exe
2716	Glaoalkh.exe
2704	Gopkmhjk.exe
2704	Gopkmhjk.exe
2500	Gldkfl32.exe
2500	Gldkfl32.exe
1984	Ghkllmoi.exe
1984	Ghkllmoi.exe
2884	Gacpdbej.exe
2884	Gacpdbej.exe
3048	Ggpimica.exe
3048	Ggpimica.exe
1660	Gmjaic32.exe
1660	Gmjaic32.exe
1432	Gphmeo32.exe
1432	Gphmeo32.exe
3052	Hicodd32.exe
3052	Hicodd32.exe
988	Hejoiedd.exe
988	Hejoiedd.exe
1392	Hellne32.exe
1392	Hellne32.exe
2432	Hhjhkq32.exe
2432	Hhjhkq32.exe
1496	Hlhaqogk.exe
1496	Hlhaqogk.exe
1704	Iaeiieeb.exe
1704	Iaeiieeb.exe
1132	Iknnbklc.exe
1132	Iknnbklc.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	1896	WerFault.exe	46

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2196	1996	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe	28
PID 1996 wrote to memory of 2196	1996	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe	28
PID 1996 wrote to memory of 2196	1996	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe	28
PID 1996 wrote to memory of 2196	1996	3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2260	2196	Flmefm32.exe	29
PID 2196 wrote to memory of 2260	2196	Flmefm32.exe	29
PID 2196 wrote to memory of 2260	2196	Flmefm32.exe	29
PID 2196 wrote to memory of 2260	2196	Flmefm32.exe	29
PID 2260 wrote to memory of 2592	2260	Ffbicfoc.exe	30
PID 2260 wrote to memory of 2592	2260	Ffbicfoc.exe	30
PID 2260 wrote to memory of 2592	2260	Ffbicfoc.exe	30
PID 2260 wrote to memory of 2592	2260	Ffbicfoc.exe	30
PID 2592 wrote to memory of 2716	2592	Gpknlk32.exe	31
PID 2592 wrote to memory of 2716	2592	Gpknlk32.exe	31
PID 2592 wrote to memory of 2716	2592	Gpknlk32.exe	31
PID 2592 wrote to memory of 2716	2592	Gpknlk32.exe	31
PID 2716 wrote to memory of 2704	2716	Glaoalkh.exe	32
PID 2716 wrote to memory of 2704	2716	Glaoalkh.exe	32
PID 2716 wrote to memory of 2704	2716	Glaoalkh.exe	32
PID 2716 wrote to memory of 2704	2716	Glaoalkh.exe	32
PID 2704 wrote to memory of 2500	2704	Gopkmhjk.exe	33
PID 2704 wrote to memory of 2500	2704	Gopkmhjk.exe	33
PID 2704 wrote to memory of 2500	2704	Gopkmhjk.exe	33
PID 2704 wrote to memory of 2500	2704	Gopkmhjk.exe	33
PID 2500 wrote to memory of 1984	2500	Gldkfl32.exe	34
PID 2500 wrote to memory of 1984	2500	Gldkfl32.exe	34
PID 2500 wrote to memory of 1984	2500	Gldkfl32.exe	34
PID 2500 wrote to memory of 1984	2500	Gldkfl32.exe	34
PID 1984 wrote to memory of 2884	1984	Ghkllmoi.exe	35
PID 1984 wrote to memory of 2884	1984	Ghkllmoi.exe	35
PID 1984 wrote to memory of 2884	1984	Ghkllmoi.exe	35
PID 1984 wrote to memory of 2884	1984	Ghkllmoi.exe	35
PID 2884 wrote to memory of 3048	2884	Gacpdbej.exe	36
PID 2884 wrote to memory of 3048	2884	Gacpdbej.exe	36
PID 2884 wrote to memory of 3048	2884	Gacpdbej.exe	36
PID 2884 wrote to memory of 3048	2884	Gacpdbej.exe	36
PID 3048 wrote to memory of 1660	3048	Ggpimica.exe	37
PID 3048 wrote to memory of 1660	3048	Ggpimica.exe	37
PID 3048 wrote to memory of 1660	3048	Ggpimica.exe	37
PID 3048 wrote to memory of 1660	3048	Ggpimica.exe	37
PID 1660 wrote to memory of 1432	1660	Gmjaic32.exe	38
PID 1660 wrote to memory of 1432	1660	Gmjaic32.exe	38
PID 1660 wrote to memory of 1432	1660	Gmjaic32.exe	38
PID 1660 wrote to memory of 1432	1660	Gmjaic32.exe	38
PID 1432 wrote to memory of 3052	1432	Gphmeo32.exe	39
PID 1432 wrote to memory of 3052	1432	Gphmeo32.exe	39
PID 1432 wrote to memory of 3052	1432	Gphmeo32.exe	39
PID 1432 wrote to memory of 3052	1432	Gphmeo32.exe	39
PID 3052 wrote to memory of 988	3052	Hicodd32.exe	40
PID 3052 wrote to memory of 988	3052	Hicodd32.exe	40
PID 3052 wrote to memory of 988	3052	Hicodd32.exe	40
PID 3052 wrote to memory of 988	3052	Hicodd32.exe	40
PID 988 wrote to memory of 1392	988	Hejoiedd.exe	41
PID 988 wrote to memory of 1392	988	Hejoiedd.exe	41
PID 988 wrote to memory of 1392	988	Hejoiedd.exe	41
PID 988 wrote to memory of 1392	988	Hejoiedd.exe	41
PID 1392 wrote to memory of 2432	1392	Hellne32.exe	42
PID 1392 wrote to memory of 2432	1392	Hellne32.exe	42
PID 1392 wrote to memory of 2432	1392	Hellne32.exe	42
PID 1392 wrote to memory of 2432	1392	Hellne32.exe	42
PID 2432 wrote to memory of 1496	2432	Hhjhkq32.exe	43
PID 2432 wrote to memory of 1496	2432	Hhjhkq32.exe	43
PID 2432 wrote to memory of 1496	2432	Hhjhkq32.exe	43
PID 2432 wrote to memory of 1496	2432	Hhjhkq32.exe	43

C:\Users\Admin\AppData\Local\Temp\3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a80175b5afaf65ce8d2a45c55f60c70_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\Flmefm32.exe
  C:\Windows\system32\Flmefm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\Ffbicfoc.exe
    C:\Windows\system32\Ffbicfoc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\Gpknlk32.exe
      C:\Windows\system32\Gpknlk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        20⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
192KB

MD5
e0592dc5c3548248a3d63d3133e79d26

SHA1
e6ee8df4121cae32414dcf73bde213d5274a455f

SHA256
d44a9546dbbd602b60ceb0bed547116a473e469c495f37c306fdf94cd063b0df

SHA512
64a9a6016cf9b4e4ff93630afa916106da6703eef768938001976bb988b24f519333f78b1a3ff7cc5902bc914b7f408ab63b81097f5d60fbc4e0c60b377d939b

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
192KB

MD5
38cbb27a19a9101dac0ce22a6aa42856

SHA1
865042e203545e8eb09bc5dbbcc1b82a30fe3467

SHA256
85df569f12850dd1910ba7a5b1c6801d854833491c361d0b3858dd064a21b30d

SHA512
a6049119a82d0129fcd36b86b696276751ce819fd18f5607e04a5b208c7dae1e3a764cda8c884b42dca02ebdcb69d1dfc884bbd7852e418fedb461f18cec62a0

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
192KB

MD5
04ad848084cd1237244511b841364da8

SHA1
7493498044f49df56e7c76bd057416514bf44533

SHA256
b5060b74272bffd0d5547ba0005d14b4e7be323593afdc472fb87a082b52b359

SHA512
84880d62f45a74596196fba590414374c9934e86df496cd8548d0d45814379588d66db82be00aefdba65e6006cd9fd45a30715b0b5f6f2804915919aa6073fa2

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
192KB

MD5
e5fb8669adc5b287cb2afcd85085836b

SHA1
86cf4829de4b5f4ff0eb3dec3d16a452ba044e38

SHA256
6874903258b23aa12b9ef23ad360daa70cd7ef457026f9deb00ebc932e5c8172

SHA512
2f0bf5416a366618216bb5fcc26a562e790f680972f5a16992d31426845b13e3c52669dc5321b0d4b1de926ad0af8c133ae09a143f0bd8c0ff9e06478d51813c

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
192KB

MD5
4b6640f92630f5f52ff87cef68c93dae

SHA1
1631259b929944e622044fef81bee0df71afbdbf

SHA256
8bfaedffd001d464efa3e4c5e2a1d1106c906426052ba34153d8f98ce882e044

SHA512
55cdc18df59d104f2a126684daaabeda252cb1f035af39ce3834b6cf1b1c8d2e0d308896134b4a4ee8b87ce569ad428ec1c3ed9027dafe8411affa79d5ae9ee5

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
192KB

MD5
72a65f8e2789b4c546b0450bd842d45d

SHA1
385e7879baa53827b50ced2979e6defb8256ad79

SHA256
022521e268cf6dde7e796b58611791842f298793f17e68964665d6201f22ade7

SHA512
fe32c1bd86be6f6d3fa982f8d8bf65cc73243d6b22487ef9a9d42c360d23e81bb645b74d7da44b0da809568165690bd04d2cfd283f80dced8f805210ef847a05

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
192KB

MD5
ed6cf73466dfa2eb92b87478c9d42f21

SHA1
d2fec01e7572879d9bbbc81970fd8cb8809501e7

SHA256
f496cc7b28e7316bdf4d49696f7cb28e8a06f192bdb3653a1050aad0e6cd50a2

SHA512
d84e63954b4dce679b0e7b97375a3abed73dae13dc026d5681f94377f489877cfe0c40dffdf90e7432432b14891552095d2461ddcfd92e60528258ffc9368d53

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
192KB

MD5
01626b6391e499325f232d9111c67bb4

SHA1
b1d92b8fd2cd7c769a67a58fa9a3442eb14a89f2

SHA256
f33c3130b86fd48c49c75e1321a63f8a2ac6118eb432329de2dfba433c783fb0

SHA512
959de39332bb541714766be856e08ea5aec27336a8b9625b115ed0f70bdc9db31040461676baa5f5472897412009ab14a6bdf6b6236a2fd5148d9b2b0d65fe99

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
192KB

MD5
482a1ff77fbf599be8c3f383194492ed

SHA1
5af5a24b2b899e9ed3b69d9ae7e488732139719f

SHA256
acf23d8e804c65ceba3d5df6976be09e3667ddf5f8a2fb4cfc53c4c83ec7e47a

SHA512
fe6259d515b2bc22001d5cdd7d2ac3a7e0f4c723cbd4fbbff78dbe38afae961d93f079b8f2b7c97173208a7b8f6b44200a1ebaee450f05e056c102d1710803e0

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
192KB

MD5
a2443f66316edab5ad8107907901aaab

SHA1
1f96976a963f9c8288f4c240ef8fa1f4795a67c4

SHA256
bb02810f55c7c1d1a6e11229ffc0bb5b634a3ce93ad29d4e41dde9299a6103c0

SHA512
f76d570d84fedf0bea35979a1021bbfb0b72ca3301256e5ac1a3badfafd703b28d056f361e65fb07ec4bbf8d5461e2493ed40a5e55cf9cbd73a2465bd9b51c59

Download Submit
C:\Windows\SysWOW64\Jgdmei32.dll

Filesize
7KB

MD5
63d280768be1409e23080c9fa276e111

SHA1
88922fb11a236581728f948ddd93706472b20ef6

SHA256
0dbaf254c12576700d9d67dd4b367e3327fd4c62a629470932ad76f111ee096f

SHA512
e6fedfce46189fb82cfa664273a491ee14caf3b2fe4487c408ca0343dc3eff8ef78e309cdb07d2233957f0c858be0b361b48306d889c3187e5b1a0727560051d

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
192KB

MD5
d729077e9b88b9f8a2d50f7924e06a6c

SHA1
ab4594be23fc143c8af5e9d20e1692cae90484f7

SHA256
effea49014102fa99bb23686d4013483636945c203d40db57efc70d370ebcbc5

SHA512
9617119c8228ec1009ceed4cfc341eb1938c79834d4ec3adc212341ef9ffc7c5e933bb1e1f8e26d16b0c4a40954dc095b849f2f78bb3497da6211e1a0aef3d63

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
192KB

MD5
adcb83f31bb7f38536dad73028ffa395

SHA1
e4912edb4a887ffaf948eb630992d03fd97d3f50

SHA256
a96b9752eb50814024923a34dae95d9ecc480aee8ab4437c57629ba5fefac957

SHA512
66bf4d809435f36dfc44f42b933bd632248363fa8ae32f407fc80f81e675b6e2b0829b4f1e736dd18475e5da3147aa43cfa3bceae0eb8f7f065d9253b6c60771

Download Submit
\Windows\SysWOW64\Ggpimica.exe

Filesize
192KB

MD5
da9d6b2ea6f33622533a33d037e82cc7

SHA1
ea3a68c077479aba0b61d49cd6145652001e0d04

SHA256
cabc52b8b5621462aa60e635785cf6e432b752245cb7ebfeb00d5e15d289fe9d

SHA512
57503288e3f3b9081b76856403b77b37480bd37c4902f275644ba18357b96222a3e4b4e0fcd1642971c1f7002497ed88291932824aee7603d071e1334f5b913b

Download Submit
\Windows\SysWOW64\Ghkllmoi.exe

Filesize
192KB

MD5
33606f7c289fc2dc6fa7d19c00c94ce9

SHA1
30e6a5cf0c288c5e5cf50c68a012f96ed8330291

SHA256
2feb5bc5b2c10bd1d38b485aff035f65edf9c8caa7089330333ed4b492bff302

SHA512
00043080302fd208863b1c248b4a7fefb52847c6ba46a62f976ee11f7b0ae8c0c6347c5a4d016df0ed1f9a0a05ae974a16170c56051751851ebc8c1e88ae120f

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
192KB

MD5
1d943c0e96c19eae032371a4c0bb9153

SHA1
8a0e68d9656558c82238ebf1444da144f18929d7

SHA256
6d6eb4b09986dbe70274bcf877015891fcf6f12e003cbcc4c87218db6e6b0c89

SHA512
e976b36c0355b8c14d5ad5cc7ebcdf5c3df6623baa4395bacfc1107c2b9a80be16b86e2827c3fe5d517323e50f823460ce060005a693bb8c6d80f037e774aeef

Download Submit
\Windows\SysWOW64\Hellne32.exe

Filesize
192KB

MD5
54e12d846be9934221298bcaaedd9f3e

SHA1
44cc10e1d0000b6148b5e5e05af3a7584fdaa303

SHA256
48c1b72109ecf85f1a7c8d71fc85efa27ef61281e914fa3d81a5fcd0636686fd

SHA512
1ba75b21a2960f3e60e1df77d9f11da4d735708baeecad864a61454bb5bbb7d07f625487c75f8425fd8e804e412e446c8f2d68fbf99aacf5f61b2d383dc30e17

Download Submit
\Windows\SysWOW64\Hhjhkq32.exe

Filesize
192KB

MD5
c7bf93a0f0898c943807684a32bdcf71

SHA1
d4405c282ce119059e3b22ea59cb8a0d9a48f2f1

SHA256
148f23d51ed2a915446e0ca34c5d8514bee50b7482eb9ca2fdac75cd6afda211

SHA512
f9415adcc4d77649e9c03602be8f2d1734214d2a6443a648a50442ab3cc0b3a80929d3ee05bbfa5e63163b173226efa988a070d433989b482ac8dc516b8cadc6

Download Submit
\Windows\SysWOW64\Hicodd32.exe

Filesize
192KB

MD5
c9d78142e35421a28cac3bea1a6f6d3b

SHA1
ddfad5a482a2beffb1fd40090ae97ba53706473d

SHA256
c575ed3f4f7e9520469ac134c99ea735df3b879e8fdba517018477e271d2213b

SHA512
2838c640a0709bf221af110cc53ae190a79f74166272b11b2125460351f7479389da17fb406ce7aee7d7dd20e0c416fdfc1ced2fdba89f78f9ca279bddd00432

Download Submit
\Windows\SysWOW64\Hlhaqogk.exe

Filesize
192KB

MD5
ea79b77846b88c8ff13b51ae08ba0620

SHA1
6385bf2fbe9bfb10faccf0609577966afe14bffa

SHA256
9a8c25ff3c28072afdc31996dfe64e7ab4713ee9dee54cdfcb5dd6abd1ff148d

SHA512
666ef4d30d3a2755f54e21bb1fbe69283a5a0733a20d6e2cf7718ccba1a72668e7bce5025852b27b9853cc4a5f7831e0848cab9d4057ec1e7000219f5cca1944

Download Submit
memory/988-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/988-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-245-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/1132-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-154-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1432-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-224-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1496-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-145-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1660-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-234-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1704-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1896-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-11-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/1996-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-12-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2196-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-208-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2432-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2500-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-79-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2716-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2716-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-131-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3052-173-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/3052-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads