aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 12:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Size

93KB
MD5

f9c760895e446f21997f88e40a011500
SHA1

93b189d1519982f3d46537fdbb62859c5cc2f047
SHA256

aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092
SHA512

172737bb1ce593e32f376456250548e660b22882fec0566afc99f57b2e540902f78d42babdc1cecd7cd759f8904272eed4daa849178be543b660c504f70b5aba
SSDEEP

1536:stEp4ijV0GymBzjsOVrVBk9fec+hrHWdGENzqsRQyRkRLJzeLD9N0iQGRNQR8Ryn:sF4hb3rZYOr2dGENzReySJdEN0s4WE+a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe

Executes dropped EXE 8 IoCs

pid	Process
2556	Bfpnmj32.exe
3040	Bhdgjb32.exe
2800	Bdkgocpm.exe
2480	Baohhgnf.exe
2976	Bobhal32.exe
2504	Cmgechbh.exe
1336	Cphndc32.exe
952	Ceegmj32.exe

Loads dropped DLL 20 IoCs

pid	Process
1440	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
1440	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
2556	Bfpnmj32.exe
2556	Bfpnmj32.exe
3040	Bhdgjb32.exe
3040	Bhdgjb32.exe
2800	Bdkgocpm.exe
2800	Bdkgocpm.exe
2480	Baohhgnf.exe
2480	Baohhgnf.exe
2976	Bobhal32.exe
2976	Bobhal32.exe
2504	Cmgechbh.exe
2504	Cmgechbh.exe
1336	Cphndc32.exe
1336	Cphndc32.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Jhgkeald.dll	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cphndc32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cmgechbh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	952	WerFault.exe	35

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgechbh.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2556	1440	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe	28
PID 1440 wrote to memory of 2556	1440	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe	28
PID 1440 wrote to memory of 2556	1440	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe	28
PID 1440 wrote to memory of 2556	1440	aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe	28
PID 2556 wrote to memory of 3040	2556	Bfpnmj32.exe	29
PID 2556 wrote to memory of 3040	2556	Bfpnmj32.exe	29
PID 2556 wrote to memory of 3040	2556	Bfpnmj32.exe	29
PID 2556 wrote to memory of 3040	2556	Bfpnmj32.exe	29
PID 3040 wrote to memory of 2800	3040	Bhdgjb32.exe	30
PID 3040 wrote to memory of 2800	3040	Bhdgjb32.exe	30
PID 3040 wrote to memory of 2800	3040	Bhdgjb32.exe	30
PID 3040 wrote to memory of 2800	3040	Bhdgjb32.exe	30
PID 2800 wrote to memory of 2480	2800	Bdkgocpm.exe	31
PID 2800 wrote to memory of 2480	2800	Bdkgocpm.exe	31
PID 2800 wrote to memory of 2480	2800	Bdkgocpm.exe	31
PID 2800 wrote to memory of 2480	2800	Bdkgocpm.exe	31
PID 2480 wrote to memory of 2976	2480	Baohhgnf.exe	32
PID 2480 wrote to memory of 2976	2480	Baohhgnf.exe	32
PID 2480 wrote to memory of 2976	2480	Baohhgnf.exe	32
PID 2480 wrote to memory of 2976	2480	Baohhgnf.exe	32
PID 2976 wrote to memory of 2504	2976	Bobhal32.exe	33
PID 2976 wrote to memory of 2504	2976	Bobhal32.exe	33
PID 2976 wrote to memory of 2504	2976	Bobhal32.exe	33
PID 2976 wrote to memory of 2504	2976	Bobhal32.exe	33
PID 2504 wrote to memory of 1336	2504	Cmgechbh.exe	34
PID 2504 wrote to memory of 1336	2504	Cmgechbh.exe	34
PID 2504 wrote to memory of 1336	2504	Cmgechbh.exe	34
PID 2504 wrote to memory of 1336	2504	Cmgechbh.exe	34
PID 1336 wrote to memory of 952	1336	Cphndc32.exe	35
PID 1336 wrote to memory of 952	1336	Cphndc32.exe	35
PID 1336 wrote to memory of 952	1336	Cphndc32.exe	35
PID 1336 wrote to memory of 952	1336	Cphndc32.exe	35
PID 952 wrote to memory of 2932	952	Ceegmj32.exe	36
PID 952 wrote to memory of 2932	952	Ceegmj32.exe	36
PID 952 wrote to memory of 2932	952	Ceegmj32.exe	36
PID 952 wrote to memory of 2932	952	Ceegmj32.exe	36

C:\Users\Admin\AppData\Local\Temp\aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aba973401e3a90188f59d46dc5722ba44320b547ff74f051856307dcd97a8092_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\Bfpnmj32.exe
  C:\Windows\system32\Bfpnmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\Bhdgjb32.exe
    C:\Windows\system32\Bhdgjb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\Bdkgocpm.exe
      C:\Windows\system32\Bdkgocpm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
93KB

MD5
3fefbbf59aa7b97661e07463a9b432f8

SHA1
d2895186d2820e9e5677ac577337bf027eb57f98

SHA256
1c14eaee548995a78e8eb61a9b0f0492e8c77d824841afc906b5dc00b7017490

SHA512
266038f86c41260f4b77204efaa4136e306dfa5ffe480c2fc4baa3ed8c4b6c66850ff36105feb0310c7a3ab95a437a956d74f0d448711fe1dbec907081a7bf9a

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
93KB

MD5
8148366b962d449119df1e300efbfcb9

SHA1
4ac6018a68f25ef76302559fcdb9807ed9734506

SHA256
0c68c3a82f00172c2bcf569c0b931b54c55acbbf4fc023fa453a649d246a93cf

SHA512
22857deeaa5c3eefc9f06b5f1dc0b890bf84c24d3fc6b0a646e13441a9fd0fa1a92a9634a0f0e3ad2b853156db87302ba5f825d2bea8261347fe5e12630a2293

Download Submit
C:\Windows\SysWOW64\Imklkg32.dll

Filesize
7KB

MD5
f9477e29d5e1f48b91e7ca4aa0796a18

SHA1
28667bffc10cc7bcacc8ce4e77de8667afe13dfe

SHA256
f701f2356641584a4858fbb75736a2988ce52a4eb0610d33b3255dee6d0a8745

SHA512
a7772f4b95c04b2b720781ac891e05156bf43b0911d5a42120fd776d0866edc33ffe0e5bcbe7fc9c52ed6382b05c70f283d47ae307dc4ee65c984e1f35430e42

Download Submit
\Windows\SysWOW64\Baohhgnf.exe

Filesize
93KB

MD5
0753c716227ebb624e418c3d5752e3da

SHA1
fd26757122d5f81e01966d997227a28ad20d65b8

SHA256
4e884b4bcff21ecc6a25f99765c9d6bfa431c829b6cb00d323d916fa6a1c5711

SHA512
6f6616d861e2c167024594057d44d5b591f318c61d844f90f22850d314838ebebc9e53c0f7f216b7fe93f06762bf6518ef60be33808774ac572f19319ae93a55

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
93KB

MD5
a4ef49162c3689f53eff10a3bc8d22ca

SHA1
7121305c6a122fcd9bec68ad035e983daa2bfca6

SHA256
74a071e2ab6b1f84ad641d493de52cc7f9c80e6cafc3b5971bb5280a8bf8d8e9

SHA512
d39c260114bc1dc08cc43f025ee666eb3b73cf2667d529eaaad1f9c3e54902e95d4493b3fb919548196f8b242951a6bb5730235054b364e25c7754f68f078c5d

Download Submit
\Windows\SysWOW64\Bfpnmj32.exe

Filesize
93KB

MD5
58c5eb13eb3cbed6321eab71ed37e952

SHA1
b0c73835758d49b274b526083b658695a22e43e2

SHA256
02d2ebc07edfd32669a0d4cd2ef3ad4ab844377e344a3da7f19019b1aefa6908

SHA512
eb7bf102940a9397cfc6f6288115195dcaaabe88e964853ee04c446a4f9a4863fce796e3c785c666b6205dacb8a48efd808cadf795d929d12dc04fe3a509414e

Download Submit
\Windows\SysWOW64\Bhdgjb32.exe

Filesize
93KB

MD5
fd5bf3d2d9529d9bd5beb648fcaa7e46

SHA1
5afe047a13e48286a576f939be94d03a0bb46c7f

SHA256
f913e820e298f7d1f888d8464b75758e5f846f62c40b5c2036e64ae1dd4ae7d2

SHA512
5a1ae02c12411827cdff02e3fbcce10dd7284109bd32fd0aa9e7aeb9794db9324cb453f2c6a55441c181900e73e84e7846bd6c7beb51cc3097960086b3aa9925

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
93KB

MD5
c153b80ab9b35684c1271c66168b5342

SHA1
4b09d240c6f17d6be06f23d55fc1554b69847187

SHA256
b731cb75bd298dd2a7f681b422cf7479ece97825dcfa64d0888a5746547b9904

SHA512
b58f9ebf2805d3e267b99d3cb76226996e093fce2608f4785c66376422f79d073c581db4de75e60cf468143108d360df7f4c153a5d40f717d358a3f6f8a6595b

Download Submit
\Windows\SysWOW64\Cphndc32.exe

Filesize
93KB

MD5
91faa4b9431b6da6342c68f71f60121c

SHA1
76cf13d63555ec61b07d494b7ac127c0433e4187

SHA256
3c8a49daf17da73f2f4a48edf69aa08341d18cc610de1eb0508efe0f8a99d27d

SHA512
e9be51c5a297c539f3fb6529773cfdfe037b8705c1904aab6bb646309f4c36f25e8934aba244391add2a3bab91c2b339ff26b571af9df3789a717c561f840bfc

Download Submit
memory/952-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/952-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-109-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1336-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-13-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1440-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2480-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2480-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-91-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2556-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-47-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2976-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-34-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/3040-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads