0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 16:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Size

512KB
MD5

7fbec2fd2a3d193f63fed3814f8d3600
SHA1

f1d0bb3a47c4e74f063f75eb8ee2b0bcf5664b09
SHA256

0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7
SHA512

26fdce9ffdb5d9c39a7a1cf3536236ebce789f1833263f27f9bc22ca134c656a5378e2701510b30fcf79b18d00e43be5ea95211bc2bf2a638bb1a7bed0f37d4a
SSDEEP

6144:+v0MZaLsrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:+v0tr/Ng1/Nblt01PBExK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe

Executes dropped EXE 18 IoCs

pid	Process
1644	Fckjalhj.exe
2556	Fhhcgj32.exe
2852	Fjilieka.exe
2684	Fjlhneio.exe
2616	Fddmgjpo.exe
2528	Gpmjak32.exe
1928	Ghhofmql.exe
752	Glfhll32.exe
2348	Gogangdc.exe
1476	Hahjpbad.exe
1592	Hnojdcfi.exe
620	Hlcgeo32.exe
1144	Hhjhkq32.exe
2808	Hpapln32.exe
2256	Hhmepp32.exe
2244	Idceea32.exe
1440	Iknnbklc.exe
3060	Iagfoe32.exe

Loads dropped DLL 40 IoCs

pid	Process
1900	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
1900	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
1644	Fckjalhj.exe
1644	Fckjalhj.exe
2556	Fhhcgj32.exe
2556	Fhhcgj32.exe
2852	Fjilieka.exe
2852	Fjilieka.exe
2684	Fjlhneio.exe
2684	Fjlhneio.exe
2616	Fddmgjpo.exe
2616	Fddmgjpo.exe
2528	Gpmjak32.exe
2528	Gpmjak32.exe
1928	Ghhofmql.exe
1928	Ghhofmql.exe
752	Glfhll32.exe
752	Glfhll32.exe
2348	Gogangdc.exe
2348	Gogangdc.exe
1476	Hahjpbad.exe
1476	Hahjpbad.exe
1592	Hnojdcfi.exe
1592	Hnojdcfi.exe
620	Hlcgeo32.exe
620	Hlcgeo32.exe
1144	Hhjhkq32.exe
1144	Hhjhkq32.exe
2808	Hpapln32.exe
2808	Hpapln32.exe
2256	Hhmepp32.exe
2256	Hhmepp32.exe
2244	Idceea32.exe
2244	Idceea32.exe
1440	Iknnbklc.exe
1440	Iknnbklc.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Fddmgjpo.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Jiiegafd.dll	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Qlidlf32.dll	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Fckjalhj.exe	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Fjilieka.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Fckjalhj.exe	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Fjlhneio.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	Fckjalhj.exe
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	Fckjalhj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1960	3060	WerFault.exe	45

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjilieka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll"	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1644	1900	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe	28
PID 1900 wrote to memory of 1644	1900	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe	28
PID 1900 wrote to memory of 1644	1900	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe	28
PID 1900 wrote to memory of 1644	1900	0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe	28
PID 1644 wrote to memory of 2556	1644	Fckjalhj.exe	29
PID 1644 wrote to memory of 2556	1644	Fckjalhj.exe	29
PID 1644 wrote to memory of 2556	1644	Fckjalhj.exe	29
PID 1644 wrote to memory of 2556	1644	Fckjalhj.exe	29
PID 2556 wrote to memory of 2852	2556	Fhhcgj32.exe	30
PID 2556 wrote to memory of 2852	2556	Fhhcgj32.exe	30
PID 2556 wrote to memory of 2852	2556	Fhhcgj32.exe	30
PID 2556 wrote to memory of 2852	2556	Fhhcgj32.exe	30
PID 2852 wrote to memory of 2684	2852	Fjilieka.exe	31
PID 2852 wrote to memory of 2684	2852	Fjilieka.exe	31
PID 2852 wrote to memory of 2684	2852	Fjilieka.exe	31
PID 2852 wrote to memory of 2684	2852	Fjilieka.exe	31
PID 2684 wrote to memory of 2616	2684	Fjlhneio.exe	32
PID 2684 wrote to memory of 2616	2684	Fjlhneio.exe	32
PID 2684 wrote to memory of 2616	2684	Fjlhneio.exe	32
PID 2684 wrote to memory of 2616	2684	Fjlhneio.exe	32
PID 2616 wrote to memory of 2528	2616	Fddmgjpo.exe	33
PID 2616 wrote to memory of 2528	2616	Fddmgjpo.exe	33
PID 2616 wrote to memory of 2528	2616	Fddmgjpo.exe	33
PID 2616 wrote to memory of 2528	2616	Fddmgjpo.exe	33
PID 2528 wrote to memory of 1928	2528	Gpmjak32.exe	34
PID 2528 wrote to memory of 1928	2528	Gpmjak32.exe	34
PID 2528 wrote to memory of 1928	2528	Gpmjak32.exe	34
PID 2528 wrote to memory of 1928	2528	Gpmjak32.exe	34
PID 1928 wrote to memory of 752	1928	Ghhofmql.exe	35
PID 1928 wrote to memory of 752	1928	Ghhofmql.exe	35
PID 1928 wrote to memory of 752	1928	Ghhofmql.exe	35
PID 1928 wrote to memory of 752	1928	Ghhofmql.exe	35
PID 752 wrote to memory of 2348	752	Glfhll32.exe	36
PID 752 wrote to memory of 2348	752	Glfhll32.exe	36
PID 752 wrote to memory of 2348	752	Glfhll32.exe	36
PID 752 wrote to memory of 2348	752	Glfhll32.exe	36
PID 2348 wrote to memory of 1476	2348	Gogangdc.exe	37
PID 2348 wrote to memory of 1476	2348	Gogangdc.exe	37
PID 2348 wrote to memory of 1476	2348	Gogangdc.exe	37
PID 2348 wrote to memory of 1476	2348	Gogangdc.exe	37
PID 1476 wrote to memory of 1592	1476	Hahjpbad.exe	38
PID 1476 wrote to memory of 1592	1476	Hahjpbad.exe	38
PID 1476 wrote to memory of 1592	1476	Hahjpbad.exe	38
PID 1476 wrote to memory of 1592	1476	Hahjpbad.exe	38
PID 1592 wrote to memory of 620	1592	Hnojdcfi.exe	39
PID 1592 wrote to memory of 620	1592	Hnojdcfi.exe	39
PID 1592 wrote to memory of 620	1592	Hnojdcfi.exe	39
PID 1592 wrote to memory of 620	1592	Hnojdcfi.exe	39
PID 620 wrote to memory of 1144	620	Hlcgeo32.exe	40
PID 620 wrote to memory of 1144	620	Hlcgeo32.exe	40
PID 620 wrote to memory of 1144	620	Hlcgeo32.exe	40
PID 620 wrote to memory of 1144	620	Hlcgeo32.exe	40
PID 1144 wrote to memory of 2808	1144	Hhjhkq32.exe	41
PID 1144 wrote to memory of 2808	1144	Hhjhkq32.exe	41
PID 1144 wrote to memory of 2808	1144	Hhjhkq32.exe	41
PID 1144 wrote to memory of 2808	1144	Hhjhkq32.exe	41
PID 2808 wrote to memory of 2256	2808	Hpapln32.exe	42
PID 2808 wrote to memory of 2256	2808	Hpapln32.exe	42
PID 2808 wrote to memory of 2256	2808	Hpapln32.exe	42
PID 2808 wrote to memory of 2256	2808	Hpapln32.exe	42
PID 2256 wrote to memory of 2244	2256	Hhmepp32.exe	43
PID 2256 wrote to memory of 2244	2256	Hhmepp32.exe	43
PID 2256 wrote to memory of 2244	2256	Hhmepp32.exe	43
PID 2256 wrote to memory of 2244	2256	Hhmepp32.exe	43

C:\Users\Admin\AppData\Local\Temp\0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0714b15c02ea8fed5aab6d0b894aaf970b21111eff0afc681bcda0ecda6e35d7_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Fckjalhj.exe
  C:\Windows\system32\Fckjalhj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\Fhhcgj32.exe
    C:\Windows\system32\Fhhcgj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Fjilieka.exe
      C:\Windows\system32\Fjilieka.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        19⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
512KB

MD5
7381951697652f2527d9c169bc31a9b9

SHA1
02d0c699209022cae8ff1d68a774d469d9b5dbaf

SHA256
0353da8f77923e49378ca5eac4e8c634bb41aea2e5cf2e05548c7d7382f8b091

SHA512
faa76a8a86150c81b2bb4a7e80c9b0f8d5b47087fb93abd72d237031db5d8103461ff00ae08354349a0d72584ddb134741d95c3652074f69a46287d3292d5bc9

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
512KB

MD5
af370e60666f39d47ba5a4bf9855f66a

SHA1
7c7cde90c7fd28cd42ea18b2739dd8adff1a181b

SHA256
8c3ae668f66a6f44a817ad1b948613d4ac0faf13d1a0e780e0b0a0231a054cd3

SHA512
d740299d9e29a02a26ee2eec0dddd254d0fc004ac24bd77fc13928e33063f708ee920ab4706112711da252a51ef14093b87cb7e91d531b1ffbd8b1be30314b70

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
512KB

MD5
342f6e9a65f042dd35db22f0bf8eece9

SHA1
18e1254bfe85ae5e53408a45e195207d4142992b

SHA256
5214f1d68c5c24c83ee28156c4cd99ee26f693bec3ecdbaedffd7e2406274893

SHA512
60e15bc45f13dacafb124559b469bb2bdd5005cb29755671980b35daa5a843a7ffbf2e9b677b80db4acf0eae2a7003eb206bdb3c52dcd3aeecd4f3356f760f62

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
512KB

MD5
f1dba668fa86cf5756ca40b9e4e202f3

SHA1
3fd8aa4ef33324a9d25397a095eeae68a53cd592

SHA256
01d2ccccd2d4353733421b53a4f266cf62453d4457ef4a3d6f6710ee699ab108

SHA512
6e361cc7ed3418aa9b46d95ca084c278492602823e9a9e3d9c2b2c742e3bc19245f864a576f897dbd788c4340a5271478a9f712835966257a32fffffb259f6de

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
512KB

MD5
75dad3940bfb67fa35ce4803d43c3f7d

SHA1
83ed64e8161c20a7007f4a5fed69b50c4b5667a3

SHA256
5fdf79220b3a682df6df851c54d3c8c833bd868e2ac6100db4a6624e1a969ff1

SHA512
d09e6e4a7ec2bb8c6f550d0174358b202d08c86da4e657c58fa5ceb96637e1b96f49da65a69d2308ab29de7506127bca3645898855df22c23d84969471892c24

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
512KB

MD5
e60076fd6fedd4fe931277fedbc11192

SHA1
738fd9ced62377afc7fb042e1788f1c7b232b48f

SHA256
f36bfaae3f9801a8d164c42f78fa681a2c9a9cc775e7bac4c37b933faf94b9d5

SHA512
c80e4798387a83dd5408d298645ad7efa9ae3ceaebc84286ba70b165c62c9ac33e934b77b613f897ed459da85bc03f4c36fb124fafa407719e64c2ca531df093

Download Submit
\Windows\SysWOW64\Fckjalhj.exe

Filesize
512KB

MD5
eafdc773c67a9fd23caec3fa4404720c

SHA1
a4e1caf1269ca4a7d05ad55f697d28a638b03cfd

SHA256
233ddf16a22a022797d6c23d29782b9fadfda3b79cd36fad24a38532e298ed04

SHA512
848d3eeff6cd02445e041789a11608f1fd947e4f46b0fc13ea02b2770a1ab994f61de4649aca358024206b5cc01dee3c792afcf3b75e98f7093558fa31ce9ac3

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
512KB

MD5
4e2f60152bfedbf67f78f7126325dbdf

SHA1
b93d521bb8b686c76977efa02aa16e67c57ef39e

SHA256
2fbf5b7e7a68cc34db5523dab9103d849d081d3ac0d5cf0f7a03b7443995179d

SHA512
550067855cda54128d6f2a906a395d209956d57f425471ed2bef528567fde0a803f0eef3efb037154ab16d2d80792888d744ffdc144ea85338850e51e44e58cc

Download Submit
\Windows\SysWOW64\Fjilieka.exe

Filesize
512KB

MD5
0b7cbe51b9835f9f9bd152304c0f9a9e

SHA1
4dee62bf1a7a39e543295cce321c009cbec0a4d5

SHA256
4d437596f42a5d1feff54381ed86abbf0a99bbda08aabaa0eecb440335374d52

SHA512
37fe366277f28c195b606ab3c48173ee9b9e2185045515330c6eac161ffb840aea5d8d3a0853d13762f798ee58d1c6f09f759454d246443690710435ffcca5ca

Download Submit
\Windows\SysWOW64\Fjlhneio.exe

Filesize
512KB

MD5
f0e8eeee395e85f85fb53fce7e6ea371

SHA1
23a8be6787f1d7aa8e2e6d250120d6e604a7f469

SHA256
a074f151785c5e625ab07b10f38f1b5f7311d58e3eaca484eb1d0c22b3f86944

SHA512
6add96e01acda655d4283cd1779454db6914f69016c19e87b8b367a2dd497d79ac4bf761290aed5233422fb2cc76c478528b920f31ccb9e791fe64038a51b9d1

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
512KB

MD5
5a2cfeba9126311630a16251a9317ee3

SHA1
ded3dcf9012e16d9f92265963482fd7180e4f354

SHA256
a49fe61f2b7c64c661408505f729f07f89ada88d66894c894f0f9286dcd29c88

SHA512
1c0aa01b8ce79e594a6b5078b7630150bf879988ca722f0841b86a76f1449a0a6b9eeab80e81a6cf503a4e903e3d287582297a10d8cfa17991c394800b8263d7

Download Submit
\Windows\SysWOW64\Glfhll32.exe

Filesize
512KB

MD5
a78ea5c04b5c20b06ba0e5f7b1796d7c

SHA1
cb223f6623df7e5d1c99ecbf6fe6b2b7be71a177

SHA256
e304a2934c56b51fe4a25610ba7c24e486fe93dc670fd6124752d7303077f75c

SHA512
9344dd090f45fccbde132ca43277716b41a7ed4a6eff7d03fff3371bdf5f6a378278703daa560cc3861e005732408956c11a7bc8fadc707c00d5f688470f231a

Download Submit
\Windows\SysWOW64\Gpmjak32.exe

Filesize
512KB

MD5
0e70488ffdfd5d7b3bb6df120c2a20d6

SHA1
a73f3f98bdfaf4de38e9312ab81da55f872a2f39

SHA256
7097333f961ff1e82007bf42907140d5ad457163b6afc8551678c245fdcc0102

SHA512
3d327b67b5edfe374e29aa7c1bcf1c6769ffe50c12a9487472dda49d9aa0a960929198bcfa227d3b8983a5fce5b94ca7ff5cbaddf408c10603861551ed2483e4

Download Submit
\Windows\SysWOW64\Hahjpbad.exe

Filesize
512KB

MD5
1159ec9e793199d6aa8d8c200e3acf8e

SHA1
94f41b9f619e1379a8ce78a7237e6b731e3c937a

SHA256
f519137210ff70455c023bd729b09afcc869d5740bc7bfa48f2e4941c313a5ca

SHA512
5f712c75a12e90207c934f8c9c7e8f51e39d7dad7d4793d0ea128fa02717939c624b5ef99820e480607b757bf392ad204adeb7c545537da64dd3376061cd9ef1

Download Submit
\Windows\SysWOW64\Hhjhkq32.exe

Filesize
512KB

MD5
a005b5ce64237b9f856668386fd7168e

SHA1
62357e0fdc210525f28af8b2b35dd6089fcb9280

SHA256
2aa7156efe5798de87094a513147b75acfa2ce08d76aac015cc4d5e7499ef659

SHA512
5fc7da6de9e2a6f5c61fec92a5ff6e1016e75975a3885a778438d34b5b06b29e0e67443c6b079daa23a82b5785858d8784ebd2cf8d9a7d6a83c599e8319eb8b6

Download Submit
\Windows\SysWOW64\Hhmepp32.exe

Filesize
512KB

MD5
8541a480ffa476144afd3623a1b72727

SHA1
4926d0f327f92420b7363d3871b2715efc387322

SHA256
b5818418ec3d3d5fca39ec959411489ea085f7a49703fafc6a38065b526c9bd6

SHA512
7770d0be2f99ee2a9c562ede5a2c5d06d49e65d4f882f1cd89b207b1af49e1fbf7f8ff015e341bbe7eb45ff8c55bb5efdf1b82e4e890c0cacb42e20fa5d8681f

Download Submit
\Windows\SysWOW64\Hlcgeo32.exe

Filesize
512KB

MD5
84f072e799b49ee2d8d5c054e7830ffe

SHA1
e4c2ee2622e0b3ec2d5d3e9110a148808b7d3ae6

SHA256
8b2bcf595c3b23265464dd1de121857c7503fd8afcf96a7bec328f7d71b67a47

SHA512
d35f21d54d140fe7498ffcdeb1fc75e775e342bebc7d98ef09727612c6d0abdcdf189c41e337f5142a44a8690705b711595c075f418b988ce413675dde51d8db

Download Submit
\Windows\SysWOW64\Hnojdcfi.exe

Filesize
512KB

MD5
f546b17a93608c64dbddaeb325a3f6b5

SHA1
ed306e500f4aaaf51768ce03586e0b9919a8255e

SHA256
466363e8edf7cb2f3bbfbfb1a6715ba6c95bbeba0befb37d6a23b925086c95b6

SHA512
5044b171a60f9f6fec815ddfc58d7fe4f53e10aa67c196742f7d27271d389eb52dbfb30b8dd4218ba7b7b69121fe6228bfff1811d7eb201fc00ccf282e2539b7

Download Submit
memory/620-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-123-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/752-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-196-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1144-195-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1144-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-241-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1440-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-151-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1476-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-160-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/1592-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-27-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1644-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-26-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1644-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-6-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1928-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-109-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2244-231-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2244-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-221-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2256-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-132-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2528-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-91-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2556-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-41-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2556-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-77-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2684-69-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2684-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-206-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2808-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-60-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/3060-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads