05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Size

94KB
MD5

8367187fd6cf0caa28c38cecae81ebe0
SHA1

db90522ea7d36aac4e71679e511456f977a64a3e
SHA256

05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913
SHA512

6bfba52312cd2cbe06e7e47c7941ef1bf7b4a3b90dcc03ee5081c4f3028b47f3eaa6b86336508e2d41bd2e5e13d5c5f56d4f8101a7835acfaf1e7f53587b83c1
SSDEEP

1536:rtl0Bfn2FQsE2Au8xp84fNj5C0E7rinU0Ymw2L0maIZTJ+7LhkiB0MPiKeEAgv:rtiBfn2FQh2AbxS4fNRtnV0maMU7uihX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe

Executes dropped EXE 18 IoCs

pid	Process
2096	Gbijhg32.exe
2684	Ghfbqn32.exe
3068	Gejcjbah.exe
2564	Gobgcg32.exe
2404	Gelppaof.exe
3052	Gkihhhnm.exe
2480	Geolea32.exe
2912	Gogangdc.exe
376	Gphmeo32.exe
2580	Hahjpbad.exe
2672	Hkpnhgge.exe
652	Hckcmjep.exe
840	Hobcak32.exe
852	Hgilchkf.exe
588	Hodpgjha.exe
988	Hkkalk32.exe
1248	Ieqeidnl.exe
284	Iagfoe32.exe

Loads dropped DLL 40 IoCs

pid	Process
2328	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
2328	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
2096	Gbijhg32.exe
2096	Gbijhg32.exe
2684	Ghfbqn32.exe
2684	Ghfbqn32.exe
3068	Gejcjbah.exe
3068	Gejcjbah.exe
2564	Gobgcg32.exe
2564	Gobgcg32.exe
2404	Gelppaof.exe
2404	Gelppaof.exe
3052	Gkihhhnm.exe
3052	Gkihhhnm.exe
2480	Geolea32.exe
2480	Geolea32.exe
2912	Gogangdc.exe
2912	Gogangdc.exe
376	Gphmeo32.exe
376	Gphmeo32.exe
2580	Hahjpbad.exe
2580	Hahjpbad.exe
2672	Hkpnhgge.exe
2672	Hkpnhgge.exe
652	Hckcmjep.exe
652	Hckcmjep.exe
840	Hobcak32.exe
840	Hobcak32.exe
852	Hgilchkf.exe
852	Hgilchkf.exe
588	Hodpgjha.exe
588	Hodpgjha.exe
988	Hkkalk32.exe
988	Hkkalk32.exe
1248	Ieqeidnl.exe
1248	Ieqeidnl.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Gejcjbah.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gbijhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Gkihhhnm.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gbijhg32.exe	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hahjpbad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1512	284	WerFault.exe	45

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll"	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2096	2328	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe	28
PID 2328 wrote to memory of 2096	2328	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe	28
PID 2328 wrote to memory of 2096	2328	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe	28
PID 2328 wrote to memory of 2096	2328	05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe	28
PID 2096 wrote to memory of 2684	2096	Gbijhg32.exe	29
PID 2096 wrote to memory of 2684	2096	Gbijhg32.exe	29
PID 2096 wrote to memory of 2684	2096	Gbijhg32.exe	29
PID 2096 wrote to memory of 2684	2096	Gbijhg32.exe	29
PID 2684 wrote to memory of 3068	2684	Ghfbqn32.exe	30
PID 2684 wrote to memory of 3068	2684	Ghfbqn32.exe	30
PID 2684 wrote to memory of 3068	2684	Ghfbqn32.exe	30
PID 2684 wrote to memory of 3068	2684	Ghfbqn32.exe	30
PID 3068 wrote to memory of 2564	3068	Gejcjbah.exe	31
PID 3068 wrote to memory of 2564	3068	Gejcjbah.exe	31
PID 3068 wrote to memory of 2564	3068	Gejcjbah.exe	31
PID 3068 wrote to memory of 2564	3068	Gejcjbah.exe	31
PID 2564 wrote to memory of 2404	2564	Gobgcg32.exe	32
PID 2564 wrote to memory of 2404	2564	Gobgcg32.exe	32
PID 2564 wrote to memory of 2404	2564	Gobgcg32.exe	32
PID 2564 wrote to memory of 2404	2564	Gobgcg32.exe	32
PID 2404 wrote to memory of 3052	2404	Gelppaof.exe	33
PID 2404 wrote to memory of 3052	2404	Gelppaof.exe	33
PID 2404 wrote to memory of 3052	2404	Gelppaof.exe	33
PID 2404 wrote to memory of 3052	2404	Gelppaof.exe	33
PID 3052 wrote to memory of 2480	3052	Gkihhhnm.exe	34
PID 3052 wrote to memory of 2480	3052	Gkihhhnm.exe	34
PID 3052 wrote to memory of 2480	3052	Gkihhhnm.exe	34
PID 3052 wrote to memory of 2480	3052	Gkihhhnm.exe	34
PID 2480 wrote to memory of 2912	2480	Geolea32.exe	35
PID 2480 wrote to memory of 2912	2480	Geolea32.exe	35
PID 2480 wrote to memory of 2912	2480	Geolea32.exe	35
PID 2480 wrote to memory of 2912	2480	Geolea32.exe	35
PID 2912 wrote to memory of 376	2912	Gogangdc.exe	36
PID 2912 wrote to memory of 376	2912	Gogangdc.exe	36
PID 2912 wrote to memory of 376	2912	Gogangdc.exe	36
PID 2912 wrote to memory of 376	2912	Gogangdc.exe	36
PID 376 wrote to memory of 2580	376	Gphmeo32.exe	37
PID 376 wrote to memory of 2580	376	Gphmeo32.exe	37
PID 376 wrote to memory of 2580	376	Gphmeo32.exe	37
PID 376 wrote to memory of 2580	376	Gphmeo32.exe	37
PID 2580 wrote to memory of 2672	2580	Hahjpbad.exe	38
PID 2580 wrote to memory of 2672	2580	Hahjpbad.exe	38
PID 2580 wrote to memory of 2672	2580	Hahjpbad.exe	38
PID 2580 wrote to memory of 2672	2580	Hahjpbad.exe	38
PID 2672 wrote to memory of 652	2672	Hkpnhgge.exe	39
PID 2672 wrote to memory of 652	2672	Hkpnhgge.exe	39
PID 2672 wrote to memory of 652	2672	Hkpnhgge.exe	39
PID 2672 wrote to memory of 652	2672	Hkpnhgge.exe	39
PID 652 wrote to memory of 840	652	Hckcmjep.exe	40
PID 652 wrote to memory of 840	652	Hckcmjep.exe	40
PID 652 wrote to memory of 840	652	Hckcmjep.exe	40
PID 652 wrote to memory of 840	652	Hckcmjep.exe	40
PID 840 wrote to memory of 852	840	Hobcak32.exe	41
PID 840 wrote to memory of 852	840	Hobcak32.exe	41
PID 840 wrote to memory of 852	840	Hobcak32.exe	41
PID 840 wrote to memory of 852	840	Hobcak32.exe	41
PID 852 wrote to memory of 588	852	Hgilchkf.exe	42
PID 852 wrote to memory of 588	852	Hgilchkf.exe	42
PID 852 wrote to memory of 588	852	Hgilchkf.exe	42
PID 852 wrote to memory of 588	852	Hgilchkf.exe	42
PID 588 wrote to memory of 988	588	Hodpgjha.exe	43
PID 588 wrote to memory of 988	588	Hodpgjha.exe	43
PID 588 wrote to memory of 988	588	Hodpgjha.exe	43
PID 588 wrote to memory of 988	588	Hodpgjha.exe	43

C:\Users\Admin\AppData\Local\Temp\05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05a9c19fbb58e87adb50fc75745db45de56f59e4776a8eed418ca9f5758f9913_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\Gbijhg32.exe
  C:\Windows\system32\Gbijhg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\Ghfbqn32.exe
    C:\Windows\system32\Ghfbqn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\Gejcjbah.exe
      C:\Windows\system32\Gejcjbah.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        19⤵
        Executes dropped EXE
        
        PID:284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 284 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Geolea32.exe

Filesize
94KB

MD5
7d548b9b7a72402eb50402122445f60a

SHA1
5ed051c64c96f68e4fa941fa1760dd15417e8fe1

SHA256
111e8290b4c7dec67633f1f9c7da772fb026ca7bc6f6984a5301500f1b277b07

SHA512
3242138823a8c5a57c931f486639eb214fc4591f5b6c366c19f8fd1b11532c031ed0e394de6acbd4c38d99542af1ae79a6db1aafa4a7a3091ad3fffa048210d7

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
94KB

MD5
f03d67397b708f84ff13b03b13f3d8fc

SHA1
f58171f3dc1f98192e3b97bc5dbca397c0335f1a

SHA256
1a7e92a59c97603556da4fb8f4eb29ed4fb5bd40fad4ffd25a96a583f6ac35d3

SHA512
c6efcfcc2e075120d095e9cf4089533bf49205e1749931c274950f7180a5e55c777f6d9c36bf2f2fa6423fe8277537fb0a10573101f8b1bfc07be6f2601653f6

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
94KB

MD5
655ef5d6d09e033fc6e1c154a7911839

SHA1
df51b49dde4960c36c8c29a165c9e2eaff403c93

SHA256
bb838f952a7c618db579125456d662ee14ca610b6a9f26f4a413f32cea701e97

SHA512
8e73df978cc1e1896681325f9338f36101db8e45de08681c55d120f0892849148bb15db0f7817a4ea3352fea4437cf1de3f3b2f9795e4cc526dfd993722e389b

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
94KB

MD5
5d9fbc281f9a365d28e0817be95f0cd5

SHA1
a37bf657eb965fc8883d120cc79bbb740881d8ec

SHA256
493cd94b41d087e785e0ba9cf253474448a0c1d058936298e1e9460cfb8eb751

SHA512
e399e8f6f6583f14a726abef433e57be14d21fc695ad3d3083f4b74f5945173b1bef3d4faf6fc48838a3ef904b323cc073021e2890d4821042bd42d432e6ebd1

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
94KB

MD5
9a71de1ef0e2fb2c5a2d182136e201ab

SHA1
ac82a03dd7a6bfd74306f1be6d015ad2f8e67f7d

SHA256
b1b0a3e85f253e7e38b6b7e3ad2475df73090c538104761da554ebc6fbe21b05

SHA512
95d926624db6d03d27c86e4d96d778ff200ca8c20593c10b09c4be2959fa336d4febbc09d83d6851a8c1de5a8101339b989616f852935b95e1ebb5adabaacc9e

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
94KB

MD5
ba548c29896fcc26b9add87f5a744606

SHA1
e1d3b6b2cb9e01e400cf6fd383fdcff560bd2f72

SHA256
36538f5194d3172ecb19bd6a0d6562c8f4debef8fb1af44f7025c142a18c56cc

SHA512
f589cfebdcfd51ff536fce0f1771abbb0aee164d6caea7ff4ad6bde69896c9ba1e0820e0abc095c37dd4fb628b67b8f4718f88b65f32d4e3d35fc2ba3ac78948

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
94KB

MD5
278e4b2757a56fd9f2bc62bd0ed49ccc

SHA1
7560cdc3248cf47f792d63fefe6215e1d8fbf04a

SHA256
1cf69924acd4791234d1f7ecd0be2e5d18406c36861f07ff68a3569425c04ea6

SHA512
501af0ed7b0eadbc48dc6698c163543b9afa9ae207e8c7baa52c6fe16528edb28947d0f4eb0d84007e1d26de6f6c106824787bb1490dffb118ddaf08d0a7df77

Download Submit
\Windows\SysWOW64\Gbijhg32.exe

Filesize
94KB

MD5
ba609b47da572f506a7170260acbe6b5

SHA1
d903987a96fdf0a2119086d1fcdf6732225c4fd3

SHA256
5bb26ab76929c4e2969de477306ead4f20ff7cf679f79dad35f9f270e8b6621e

SHA512
08188c384565a4ab3c45f1b8a01dd81607c63353e459c651e0d52c8b096d441b1489364f22a939a849d1410cde4f4586f3087bacfedd9334b88cc2e1f89efe7f

Download Submit
\Windows\SysWOW64\Gejcjbah.exe

Filesize
94KB

MD5
9a12c4e7ac039495cf3242533fbc7185

SHA1
860998cbb5b4026f2f1cb348acdd8dffa2e25e3c

SHA256
ea29e900bab1a1aac13641e25489d445ea5e2dc58a2b2d6da5110ee540b80682

SHA512
e68a3f3f37077793fd277905a562cc7c7247709c7551b721043ff1f85bd0776432a25729381c5ec4e710896403bdc49de942d92f558482cad144610bacd732f8

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
94KB

MD5
61d53025419ddfd94a8ef272afb81e6f

SHA1
eb5bc7f19d59f12bc63d2835b5ddd7c7f49fd44b

SHA256
3a77693727a9d114cdeb6968a6da9acb1ef7a3a5e684ba9fdd767dcf0b4d7a55

SHA512
cc158a94aaf7270efaf6de35bf29d552e53b1bf81371aa645966a8e9f7ef032ecad13e7a8ceb0a23597873ba498085fdffacb3efba74b5aa31060d58221ae165

Download Submit
\Windows\SysWOW64\Gkihhhnm.exe

Filesize
94KB

MD5
1567343e217a76928bb776021c1bad54

SHA1
64485765640aa71ffa0a997e4f0117c3c88cf398

SHA256
7615bd1f344ef9626c96ad8c1a63ea3a779e82ac3fb4d189678a4b4d62f7c053

SHA512
7f569531e135b3795971071b14cfb25a1ef72ac093a61cc9879eddf17ecf3368dc099e6013650785b9be8335ec0e43c9ba10be4149b2605bfb0f9ce56a4a2c72

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
94KB

MD5
05ae1b65d0d31409862bf81ee862f3d4

SHA1
eb111c0fa4bc9b9f9439de5df6ad2567052669cd

SHA256
4b1758a4d4fe272b73bf923ea539a19514bd338ba5d97ac8777447ba7cddcf7d

SHA512
509d2585dfe5702e73d7ecc9065167e95b7c2b3446f6ba908586ebab35ce261075269c9607493d5ea334f9599ba3dfe0d4b83e67489768b503f204694a8a4422

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
94KB

MD5
6646ea2f4d3070fdb84c56d9cb3804a0

SHA1
cb6d2e865a9b66f6486f8c1cb3e0dca8e2bce7f4

SHA256
2fac6789a7f0c43722d1f4a78d6d5fafe4c8284cffb2366dea3f169ce47c8625

SHA512
a3fae5c6722415db6e385b6790a20fa4b41a9ac623a305221b2641c638e70d48ceddff09795d6d9777da03ec03f9acbb1fa4fc9eada5b0d4556f39a66eff8b1f

Download Submit
\Windows\SysWOW64\Gphmeo32.exe

Filesize
94KB

MD5
52586f3743dda2af2f5e905fa87b59a0

SHA1
c079bfe9c8b79ce9c2a8773ac9c9e05987ee752a

SHA256
cd71ad3a8814451b0d2a2154f58a56a37e0fe8fb19b76eed0b1f60d12ee32108

SHA512
d2ba7fb48a9b9a6c31f9577f33231fbdbeb53493040ee552da191690ef9d42c9ed03bae217abf0167456177142333a0e7390c658bf4d29ffaffce7d7e21523c0

Download Submit
\Windows\SysWOW64\Hahjpbad.exe

Filesize
94KB

MD5
e3b8fe302f40c2cd228594004e8d0249

SHA1
c970f0d75919faeb88332bb8487c94f44793e352

SHA256
1badb358ff3fde3ad2357d5ee0257c503a42bec5705a6782d18c260de5f3ff23

SHA512
1544682b7471388ec1d0a1a9a2d2d4467d607c868007b7205e398b2901a9f0f219c3b60323d756438feefa87799969dcf981e8b1144219084d634a667ca2280a

Download Submit
\Windows\SysWOW64\Hckcmjep.exe

Filesize
94KB

MD5
c72c42d9b08ccdf99ac21bb0185658d0

SHA1
57202924b7ec1f581772903ed3a36134fc5464a2

SHA256
88086d00988ffbb4c12e98cd12210af36f55f89383cce4ab6a30a55cae3967b7

SHA512
ed55ab7f082e62642dc3d2b6e3fc1dac6844857a35f11383ff33b6c76bd127b3362f93c1a34cfcce2c796ae23320d657aa29cb0b5b6490bd53ba653bbbfc04af

Download Submit
\Windows\SysWOW64\Hkkalk32.exe

Filesize
94KB

MD5
85f83e8387e005160059997352c5c312

SHA1
a4ea333381d079cf8a8b0337af518d3c6129d0e1

SHA256
a393febccfd06ee9ede45fec97d302fc6433b60d1861be908df7db0f508e5889

SHA512
35208ca70d6f622fa5feb16cdf90681acbf36ae066915feff6558f82b64ad643558895123e650a105a6d1513956f04365c63eaede56542455c459c3294e0e5d0

Download Submit
\Windows\SysWOW64\Hobcak32.exe

Filesize
94KB

MD5
e31697581cb373426158640f80b0cc35

SHA1
48381f26e9f12b36767ce342d1a34182ec138a3b

SHA256
00c18c6e8a65fea7185b71f99778cc2551f37333e01ba1c8392da2f3cea81248

SHA512
d449917e1b1c91347fc25e8b5f7ee362204561c675c21479d83fe64ad4b63211b3285c10ac0ac601290ffed78993204c7f24b4fa8494cc688ad27d9bf7f8f7c7

Download Submit
memory/284-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/376-133-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/376-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/588-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/588-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/588-225-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/588-226-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/652-183-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/652-253-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/652-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/652-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/840-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/840-202-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/840-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-256-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/988-239-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/988-259-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/988-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/988-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-250-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1248-261-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1248-246-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2096-26-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2096-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-94-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2328-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-11-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2404-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2580-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2672-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2672-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2672-166-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2672-165-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2684-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-39-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2684-118-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2684-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-117-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2912-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads