7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Size

108KB
MD5

d4cceb855773ce51ab7b412604464c50
SHA1

31db7d14c43ab19db8a4d4f67e19a7cf22be54b8
SHA256

7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2
SHA512

6b419e9c06746d5b583594526d97fd4b2e1409a4230d5bf7f72ee502c0b06e6b0fa5d8140136aabc48cebfd106da44e36885d4dac2b7b5f8b64e30378f517c40
SSDEEP

1536:4XWA1tnkOPKSE+ZVCjk+eMwB+rjm8NiIqhn3HQ8BawTj2wQ3K:4ZnbPg9k+8UjmOiBn3w8BdTj2h3K

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe

Executes dropped EXE 19 IoCs

pid	Process
2944	Gicbeald.exe
2980	Gejcjbah.exe
2620	Gbnccfpb.exe
2556	Ghkllmoi.exe
2604	Gmgdddmq.exe
2416	Ggpimica.exe
2880	Ghoegl32.exe
1928	Hmlnoc32.exe
2740	Hgdbhi32.exe
700	Hnojdcfi.exe
2304	Hckcmjep.exe
2016	Hiekid32.exe
1904	Hcnpbi32.exe
592	Hhjhkq32.exe
1420	Hpapln32.exe
308	Henidd32.exe
2272	Idceea32.exe
2064	Ilknfn32.exe
3064	Iagfoe32.exe

Loads dropped DLL 42 IoCs

pid	Process
1948	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
1948	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
2944	Gicbeald.exe
2944	Gicbeald.exe
2980	Gejcjbah.exe
2980	Gejcjbah.exe
2620	Gbnccfpb.exe
2620	Gbnccfpb.exe
2556	Ghkllmoi.exe
2556	Ghkllmoi.exe
2604	Gmgdddmq.exe
2604	Gmgdddmq.exe
2416	Ggpimica.exe
2416	Ggpimica.exe
2880	Ghoegl32.exe
2880	Ghoegl32.exe
1928	Hmlnoc32.exe
1928	Hmlnoc32.exe
2740	Hgdbhi32.exe
2740	Hgdbhi32.exe
700	Hnojdcfi.exe
700	Hnojdcfi.exe
2304	Hckcmjep.exe
2304	Hckcmjep.exe
2016	Hiekid32.exe
2016	Hiekid32.exe
1904	Hcnpbi32.exe
1904	Hcnpbi32.exe
592	Hhjhkq32.exe
592	Hhjhkq32.exe
1420	Hpapln32.exe
1420	Hpapln32.exe
308	Henidd32.exe
308	Henidd32.exe
2272	Idceea32.exe
2272	Idceea32.exe
2064	Ilknfn32.exe
2064	Ilknfn32.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gejcjbah.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Ggpimica.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hpapln32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3024	3064	WerFault.exe	46

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgdbhi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2944	1948	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2944	1948	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2944	1948	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2944	1948	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 2980	2944	Gicbeald.exe	29
PID 2944 wrote to memory of 2980	2944	Gicbeald.exe	29
PID 2944 wrote to memory of 2980	2944	Gicbeald.exe	29
PID 2944 wrote to memory of 2980	2944	Gicbeald.exe	29
PID 2980 wrote to memory of 2620	2980	Gejcjbah.exe	30
PID 2980 wrote to memory of 2620	2980	Gejcjbah.exe	30
PID 2980 wrote to memory of 2620	2980	Gejcjbah.exe	30
PID 2980 wrote to memory of 2620	2980	Gejcjbah.exe	30
PID 2620 wrote to memory of 2556	2620	Gbnccfpb.exe	31
PID 2620 wrote to memory of 2556	2620	Gbnccfpb.exe	31
PID 2620 wrote to memory of 2556	2620	Gbnccfpb.exe	31
PID 2620 wrote to memory of 2556	2620	Gbnccfpb.exe	31
PID 2556 wrote to memory of 2604	2556	Ghkllmoi.exe	32
PID 2556 wrote to memory of 2604	2556	Ghkllmoi.exe	32
PID 2556 wrote to memory of 2604	2556	Ghkllmoi.exe	32
PID 2556 wrote to memory of 2604	2556	Ghkllmoi.exe	32
PID 2604 wrote to memory of 2416	2604	Gmgdddmq.exe	33
PID 2604 wrote to memory of 2416	2604	Gmgdddmq.exe	33
PID 2604 wrote to memory of 2416	2604	Gmgdddmq.exe	33
PID 2604 wrote to memory of 2416	2604	Gmgdddmq.exe	33
PID 2416 wrote to memory of 2880	2416	Ggpimica.exe	34
PID 2416 wrote to memory of 2880	2416	Ggpimica.exe	34
PID 2416 wrote to memory of 2880	2416	Ggpimica.exe	34
PID 2416 wrote to memory of 2880	2416	Ggpimica.exe	34
PID 2880 wrote to memory of 1928	2880	Ghoegl32.exe	35
PID 2880 wrote to memory of 1928	2880	Ghoegl32.exe	35
PID 2880 wrote to memory of 1928	2880	Ghoegl32.exe	35
PID 2880 wrote to memory of 1928	2880	Ghoegl32.exe	35
PID 1928 wrote to memory of 2740	1928	Hmlnoc32.exe	36
PID 1928 wrote to memory of 2740	1928	Hmlnoc32.exe	36
PID 1928 wrote to memory of 2740	1928	Hmlnoc32.exe	36
PID 1928 wrote to memory of 2740	1928	Hmlnoc32.exe	36
PID 2740 wrote to memory of 700	2740	Hgdbhi32.exe	37
PID 2740 wrote to memory of 700	2740	Hgdbhi32.exe	37
PID 2740 wrote to memory of 700	2740	Hgdbhi32.exe	37
PID 2740 wrote to memory of 700	2740	Hgdbhi32.exe	37
PID 700 wrote to memory of 2304	700	Hnojdcfi.exe	38
PID 700 wrote to memory of 2304	700	Hnojdcfi.exe	38
PID 700 wrote to memory of 2304	700	Hnojdcfi.exe	38
PID 700 wrote to memory of 2304	700	Hnojdcfi.exe	38
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2304 wrote to memory of 2016	2304	Hckcmjep.exe	39
PID 2016 wrote to memory of 1904	2016	Hiekid32.exe	40
PID 2016 wrote to memory of 1904	2016	Hiekid32.exe	40
PID 2016 wrote to memory of 1904	2016	Hiekid32.exe	40
PID 2016 wrote to memory of 1904	2016	Hiekid32.exe	40
PID 1904 wrote to memory of 592	1904	Hcnpbi32.exe	41
PID 1904 wrote to memory of 592	1904	Hcnpbi32.exe	41
PID 1904 wrote to memory of 592	1904	Hcnpbi32.exe	41
PID 1904 wrote to memory of 592	1904	Hcnpbi32.exe	41
PID 592 wrote to memory of 1420	592	Hhjhkq32.exe	42
PID 592 wrote to memory of 1420	592	Hhjhkq32.exe	42
PID 592 wrote to memory of 1420	592	Hhjhkq32.exe	42
PID 592 wrote to memory of 1420	592	Hhjhkq32.exe	42
PID 1420 wrote to memory of 308	1420	Hpapln32.exe	43
PID 1420 wrote to memory of 308	1420	Hpapln32.exe	43
PID 1420 wrote to memory of 308	1420	Hpapln32.exe	43
PID 1420 wrote to memory of 308	1420	Hpapln32.exe	43

C:\Users\Admin\AppData\Local\Temp\7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\Gicbeald.exe
  C:\Windows\system32\Gicbeald.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Gejcjbah.exe
    C:\Windows\system32\Gejcjbah.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\Gbnccfpb.exe
      C:\Windows\system32\Gbnccfpb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        20⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Henidd32.exe

Filesize
108KB

MD5
e7c936ca43a655127db6dcd71fbae382

SHA1
ba92887f795b0e4ee56adb38ed5e5e5225dd0e86

SHA256
b7705399d9c609a17baaedaf66c794ffaa7f36073f3e1523bcf0f82b02f78b09

SHA512
2ab4f73bdab806283b6645dc736d1ba90a7f21cf778c82c4d1ece94963d68621b7aea591aac74964318ae4cff017995ef199ec12ea89bbb761f61b7c40674836

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
108KB

MD5
93083945016b8ae29d5061771248e2e8

SHA1
8deb52b1edb029db2faa8b254eed7c7fdf511aa2

SHA256
676a10b698cd62dfe22aaf6f0df48b2ef30bafc71e6dd0a719def909a47c52ce

SHA512
b8a9da8c46430994edad9bbac9e8e58be38ecf649ccd8e8557e2ba3e649b653574703ba37919a97f2003f17b522a11eb6dc1df1ff028cbcb63eba96b53368dd5

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
108KB

MD5
a2402dd692f82489332c2d73571bdc76

SHA1
e89b99185a674be60b9b9761f91b7d5f187f81e5

SHA256
806f4de0a839cdedcc1ed3508f2d634cfb4fc5a557517c4f9d70a04254e10203

SHA512
61ec2c274e0a034d1674e3237256249721bd90c8a28a39fe0ac86ff2419a22abc47952328b428183eac879ab8b66106be3661058338a45d87dba2809bc96ffbe

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
108KB

MD5
9885a630d85dd0205bef40ccab606245

SHA1
ce26bbde613315462cdd3e4fa21696c6f9419fa2

SHA256
5df7bc78ed2b85655f07961240b2c714c86d2c860c280dfbf92f8a84238c5960

SHA512
31942a86733d88c4b2ed41562e21112bccd121dd16a7a049ad6d68df62df42025e4594a92c865920b1830c736df095710549bc022abc68de7c601b10d36c79b4

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
108KB

MD5
e36051fed2cf0242aa3e0881af6f5ac8

SHA1
082ac155829b44dd4dba7400409f527c28868f14

SHA256
7380481bdb1d243f274fe42867c01ae3ef195a9f452cabd39d2357b93ab61007

SHA512
c4e0e1d3824dd881e89c5e2b31d5087135d6cde7f5d71ccc4bb9331097fe4d97f67bd3bb7a57c34f04dbbc8dd290d8cfb8e4838ea42fd80fc21fd5fc828d5d15

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
108KB

MD5
eca5af26cef88efb96a995588ce05ab5

SHA1
fdf91ad8ef400877e08475144524cba8736b247b

SHA256
8471c4d94c18b5077dc291bac4e6bd5bd90d7fb785f2cfee68a0465bcb045505

SHA512
466ce129ef5eecc8cb8a2bc0b0e5357bb268180d7d3983e703452e09951a329f7457e698867d0d4db9b3c110c22f7ee69dcb4e01a9a948777c2964c8a93930b5

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
108KB

MD5
560475cb851a5a419909f7e71cd667a6

SHA1
ad71b0d3395df01a1e6168b885e013e371e63951

SHA256
78c5c952ec9804da92783089261c078e1b642f8136ca394cd5770dffc4cd49ec

SHA512
ee31be2fa1fd94d1b192327e2d18d9e4be5fabd96eaa8a9f31744615472c8699c028cd7a26f43d6f0bee4ae8782548a623486cb18f63f6114bcc69e96db96dd2

Download Submit
\Windows\SysWOW64\Gejcjbah.exe

Filesize
108KB

MD5
b7f2dcf1161a710887a7ac5d4c2e6039

SHA1
dc1c1df140381feea8cd245ce34c4869754817a5

SHA256
e3c3dce9e7f2ede3167e1b87ddd304d18249c7a579c1cfe2d55ae326e4703a37

SHA512
3d94fb3496c0b764cc22e4b57cf4bb9d4520fcf68a1bb855d093b459acd0930827846756b2e3189f9b55232f00fbc471dac9f36b6b40752d131c34fd7b4373ad

Download Submit
\Windows\SysWOW64\Ggpimica.exe

Filesize
108KB

MD5
cd7899bbc2a637d8447a1cb9a20bfd3e

SHA1
5c720ac0700c839bfcf516c1028b5c864336885a

SHA256
148a3bcfbc66cff7f94899febb4b1d3ace7fa65b4eeeff995de6b4e54c775124

SHA512
c988a39216ebe42822965f7535f1f7168be84f0304f6aff33148c95e140aac87fc1a178a231d6bd4118bab2bc4c7cd63a9604503c606d8afc54cb318c5363adb

Download Submit
\Windows\SysWOW64\Ghkllmoi.exe

Filesize
108KB

MD5
a166e8f1a12efba1c699f3b3facaee88

SHA1
5da06ca668822af38a6cd0b06ff7691e6285103d

SHA256
154eb01498a9e5841d2e92d862413796564400b906392924fbb53a327ac8cddf

SHA512
5c9ce6b02ed9744882636fdadfda7934c1ba552c80fff513b8834437b42b818681da816d397ad3c7a84b3a1563f7e687aa47e8db112260e0c592eedce718ba7a

Download Submit
\Windows\SysWOW64\Ghoegl32.exe

Filesize
108KB

MD5
370075fe52ab1d797513000152464361

SHA1
5cb43bc1b24c9df4faa1999ffc7240f31423e566

SHA256
4b3e03ed10305400ec9841dae3e8f5288f3a110f54d518734ed42bb8a4f3e030

SHA512
d901ae91d22da63afe60b8c7d6db819f25751534bcf9bc5f8c8c3223b0d294aab79764c01d1452929e19757b0c828bb6250a53a19d4b7abea1794e4ebe1dd1a7

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
108KB

MD5
c632b3c04a9ee000caf7b0a22f5872a0

SHA1
868085d6c2aea62ebf34d799470799ea380dfdae

SHA256
4a18d140b16241710c8107f1594b57f8dbfdb6244d7d443175c740b74be8d82c

SHA512
5b98dab4c655ac3cb3fa48e91d44fb7bafb80885b069fcdcab5ff4469c017e7027233e375cb47516fec431efca0c56e718b511b44fe9587aa6dc9403bab1b784

Download Submit
\Windows\SysWOW64\Gmgdddmq.exe

Filesize
108KB

MD5
d09286678ef0afcedf708569e2fe4018

SHA1
c373309c48413d91431d07a561b634a9f6997eff

SHA256
97128969ee77e70203d2936dadfea8bab71547c528bb6ccd3cddb6a901b833a3

SHA512
7489beaba4dac48b11d728cfdf29017d9c1e63705c7b3987fa9f7b7a93128211d02f007b2238c724c118a1c189ea614aadebe53232f39e54387ba05694a0358e

Download Submit
\Windows\SysWOW64\Hckcmjep.exe

Filesize
108KB

MD5
e2b0e02e4172af7e9cffb13b727d3a40

SHA1
02d21dcd4f3c404041929e902aecc63a1876aae5

SHA256
78d3cef8d3daafd7382f652aa7ec7d8c552a5549669d986ce60ee5cea8adf778

SHA512
b7cbc2d6fd1175c699a43ccaf2c485155fd3185bc92088ae50e73fc4f3905422fea8f9edfa169e3519e6f08430dfeea1a4a68221f51fed5e781b13036181bfa8

Download Submit
\Windows\SysWOW64\Hcnpbi32.exe

Filesize
108KB

MD5
8004ab49d3c51899f176d304ff19e116

SHA1
db104c4c4c9b21128150526b7aa2f1e281fbd21b

SHA256
ced808f16074ecd8d79aee4b691ec0e0706a5058726c5da1c93ce4463902eb80

SHA512
35d4f9a54c2f4d596ac4c857b943361daa4f34df2c0435aac685787ef1eb216002687f02e2876e6e4ff85aebabc58c0466fd1b6c9edda210c2487c88696e60c4

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
108KB

MD5
6e32237365d1d0ba8d2252aa747c4d0f

SHA1
27324352be13d15f885625106ce228bebf67c6f2

SHA256
b77d9a94fd04f764a3282ed37177a94a38ce901cf9c1a076e2d5707d92204be4

SHA512
390eb16b7cea2c6a3092e7781e906417820156a50e5603bff54032ee0a8296c84cfafd98f1db11832b73fd19256a615a26a82af96ac516fba0dc0bb9d8835bd8

Download Submit
\Windows\SysWOW64\Hhjhkq32.exe

Filesize
108KB

MD5
bbc52812c1ec48dff8ecc98137ce2995

SHA1
a66baf528e15cb4b033d9956262aee39c3f8e0c8

SHA256
db0321a3f6560da21ccee8ec154e081cd57335af20232f75bb1b60aa6e49d283

SHA512
70c0614522d56423da83edd75a600f26674fdb9e53c4c2df15951d75877b01e6079e408675a5292bea001662f3f035ab38acd4cbf98775bfcb0064d889ad0dc4

Download Submit
\Windows\SysWOW64\Hiekid32.exe

Filesize
108KB

MD5
ae734fcbe41bc24e019ec45cd322eb16

SHA1
2260e3e7b976db0548faf56c6b6714a7a57820c7

SHA256
1facd0c4496350e800825cc755d1a8cf5bb49c3cd96648ee3c54f66e92ebbc3a

SHA512
65d8e473b5726e96112eff594ca2738a0054b53de5c77fdf9eb73f646b2ab11cd460e873edb001aeda8b9658bba85e613a1da25d47a64dbcffd2fb07084287b1

Download Submit
\Windows\SysWOW64\Hpapln32.exe

Filesize
108KB

MD5
73f74f900d1849d930774c57d9e3b596

SHA1
3067b7d569fcd187470ba26ab9e234d9da0d57a5

SHA256
1ce4075c1d52714eb32ae9fa43d3b8fa7574b951e8f7d69895d0b11bbb24aee1

SHA512
23ddafdf0367bcc25febf1d40c25fe2acd22b57eb8c1ead71fd880e325c357206f02bb880002fea9cf8ff797daa6868824df8d4c3563b4185dc52af35e17a7b4

Download Submit
memory/308-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/308-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/592-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/700-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/700-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1420-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1928-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1928-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-6-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1948-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2064-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2064-238-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2064-237-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2064-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2272-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-87-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2416-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-65-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2556-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-46-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2620-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-20-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2944-26-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2944-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads