8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Size

163KB
MD5

ef5a78af5fd0d9a9de04f49d0c2be860
SHA1

006c9437035975dcca19e3e7834e1e33266d0ace
SHA256

8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539
SHA512

8fa5392aac55f349d22d04b4a49f36f6322d9ec64010dd8cc3d8e085e7dee2c8f8189fb06ffde2f7488627e5ea3a817976fbd4990a137a165f7caad5fb8daa8f
SSDEEP

1536:PyO1ZPwwSV1WyTCKA6rWerLYx02QJjTam97lProNVU4qNVUrk/9QbfBr+7GwKrPb:vjwwelCnwoGae7ltOrWKDBr+yJb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ihoafpmp.exe8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exeFioija32.exeHpapln32.exeGddifnbk.exeHcifgjgc.exeGogangdc.exeHpocfncj.exeGpknlk32.exeGbijhg32.exeHlhaqogk.exeGkihhhnm.exeGobgcg32.exeGacpdbej.exeHpmgqnfl.exeFbgmbg32.exeGopkmhjk.exeHahjpbad.exeFfkcbgek.exeGieojq32.exeFdapak32.exeFmjejphb.exeHkpnhgge.exeFdoclk32.exeHnagjbdf.exeFejgko32.exeHjhhocjj.exeGelppaof.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe

Executes dropped EXE 28 IoCs

Processes:

Fejgko32.exeFfkcbgek.exeFdoclk32.exeFdapak32.exeFioija32.exeFmjejphb.exeFbgmbg32.exeGpknlk32.exeGbijhg32.exeGopkmhjk.exeGieojq32.exeGobgcg32.exeGelppaof.exeGkihhhnm.exeGacpdbej.exeGogangdc.exeGddifnbk.exeHahjpbad.exeHcifgjgc.exeHkpnhgge.exeHpmgqnfl.exeHnagjbdf.exeHpocfncj.exeHjhhocjj.exeHpapln32.exeHlhaqogk.exeIhoafpmp.exeIagfoe32.exe

pid	process
2964	Fejgko32.exe
2556	Ffkcbgek.exe
2728	Fdoclk32.exe
2836	Fdapak32.exe
2624	Fioija32.exe
2472	Fmjejphb.exe
2104	Fbgmbg32.exe
1456	Gpknlk32.exe
2668	Gbijhg32.exe
2376	Gopkmhjk.exe
1584	Gieojq32.exe
236	Gobgcg32.exe
768	Gelppaof.exe
2776	Gkihhhnm.exe
2804	Gacpdbej.exe
2220	Gogangdc.exe
1596	Gddifnbk.exe
988	Hahjpbad.exe
1440	Hcifgjgc.exe
448	Hkpnhgge.exe
2860	Hpmgqnfl.exe
1292	Hnagjbdf.exe
2424	Hpocfncj.exe
772	Hjhhocjj.exe
2036	Hpapln32.exe
2952	Hlhaqogk.exe
2748	Ihoafpmp.exe
2544	Iagfoe32.exe

Loads dropped DLL 60 IoCs

Processes:

8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exeFejgko32.exeFfkcbgek.exeFdoclk32.exeFdapak32.exeFioija32.exeFmjejphb.exeFbgmbg32.exeGpknlk32.exeGbijhg32.exeGopkmhjk.exeGieojq32.exeGobgcg32.exeGelppaof.exeGkihhhnm.exeGacpdbej.exeGogangdc.exeGddifnbk.exeHahjpbad.exeHcifgjgc.exeHkpnhgge.exeHpmgqnfl.exeHnagjbdf.exeHpocfncj.exeHjhhocjj.exeHpapln32.exeHlhaqogk.exeIhoafpmp.exeWerFault.exe

pid	process
1900	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
1900	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
2964	Fejgko32.exe
2964	Fejgko32.exe
2556	Ffkcbgek.exe
2556	Ffkcbgek.exe
2728	Fdoclk32.exe
2728	Fdoclk32.exe
2836	Fdapak32.exe
2836	Fdapak32.exe
2624	Fioija32.exe
2624	Fioija32.exe
2472	Fmjejphb.exe
2472	Fmjejphb.exe
2104	Fbgmbg32.exe
2104	Fbgmbg32.exe
1456	Gpknlk32.exe
1456	Gpknlk32.exe
2668	Gbijhg32.exe
2668	Gbijhg32.exe
2376	Gopkmhjk.exe
2376	Gopkmhjk.exe
1584	Gieojq32.exe
1584	Gieojq32.exe
236	Gobgcg32.exe
236	Gobgcg32.exe
768	Gelppaof.exe
768	Gelppaof.exe
2776	Gkihhhnm.exe
2776	Gkihhhnm.exe
2804	Gacpdbej.exe
2804	Gacpdbej.exe
2220	Gogangdc.exe
2220	Gogangdc.exe
1596	Gddifnbk.exe
1596	Gddifnbk.exe
988	Hahjpbad.exe
988	Hahjpbad.exe
1440	Hcifgjgc.exe
1440	Hcifgjgc.exe
448	Hkpnhgge.exe
448	Hkpnhgge.exe
2860	Hpmgqnfl.exe
2860	Hpmgqnfl.exe
1292	Hnagjbdf.exe
1292	Hnagjbdf.exe
2424	Hpocfncj.exe
2424	Hpocfncj.exe
772	Hjhhocjj.exe
772	Hjhhocjj.exe
2036	Hpapln32.exe
2036	Hpapln32.exe
2952	Hlhaqogk.exe
2952	Hlhaqogk.exe
2748	Ihoafpmp.exe
2748	Ihoafpmp.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe

Drops file in System32 directory 64 IoCs

Processes:

Gobgcg32.exeGddifnbk.exeHjhhocjj.exeHpapln32.exeIhoafpmp.exeFbgmbg32.exeGkihhhnm.exeHcifgjgc.exeHpmgqnfl.exeFejgko32.exeGbijhg32.exeFfkcbgek.exeFdoclk32.exeGopkmhjk.exeGelppaof.exeGacpdbej.exe8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exeHlhaqogk.exeGogangdc.exeHahjpbad.exeFmjejphb.exeFdapak32.exeHpocfncj.exeFioija32.exeGpknlk32.exeGieojq32.exeHkpnhgge.exeHnagjbdf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gkihhhnm.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Ffkcbgek.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Ffkcbgek.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Fejgko32.exe	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fdoclk32.exe	Ffkcbgek.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	Fejgko32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Fdapak32.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	Fioija32.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Fioija32.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Qdcbfq32.dll	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Fmjejphb.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2300 2544 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2300	2544	WerFault.exe	Iagfoe32.exe

Modifies registry class 64 IoCs

Processes:

Gopkmhjk.exeGobgcg32.exeGogangdc.exeHnagjbdf.exeFfkcbgek.exeFmjejphb.exeHpmgqnfl.exeHpocfncj.exeHlhaqogk.exeIhoafpmp.exe8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exeFdoclk32.exeFbgmbg32.exeHkpnhgge.exeFejgko32.exeGbijhg32.exeGelppaof.exeGkihhhnm.exeGacpdbej.exeHjhhocjj.exeFdapak32.exeFioija32.exeGpknlk32.exeGieojq32.exeHpapln32.exeHcifgjgc.exeHahjpbad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll"	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1900 wrote to memory of 2964	1900	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe	Fejgko32.exe
PID 1900 wrote to memory of 2964	1900	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe	Fejgko32.exe
PID 1900 wrote to memory of 2964	1900	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe	Fejgko32.exe
PID 1900 wrote to memory of 2964	1900	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe	Fejgko32.exe
PID 2964 wrote to memory of 2556	2964	Fejgko32.exe	Ffkcbgek.exe
PID 2964 wrote to memory of 2556	2964	Fejgko32.exe	Ffkcbgek.exe
PID 2964 wrote to memory of 2556	2964	Fejgko32.exe	Ffkcbgek.exe
PID 2964 wrote to memory of 2556	2964	Fejgko32.exe	Ffkcbgek.exe
PID 2556 wrote to memory of 2728	2556	Ffkcbgek.exe	Fdoclk32.exe
PID 2556 wrote to memory of 2728	2556	Ffkcbgek.exe	Fdoclk32.exe
PID 2556 wrote to memory of 2728	2556	Ffkcbgek.exe	Fdoclk32.exe
PID 2556 wrote to memory of 2728	2556	Ffkcbgek.exe	Fdoclk32.exe
PID 2728 wrote to memory of 2836	2728	Fdoclk32.exe	Fdapak32.exe
PID 2728 wrote to memory of 2836	2728	Fdoclk32.exe	Fdapak32.exe
PID 2728 wrote to memory of 2836	2728	Fdoclk32.exe	Fdapak32.exe
PID 2728 wrote to memory of 2836	2728	Fdoclk32.exe	Fdapak32.exe
PID 2836 wrote to memory of 2624	2836	Fdapak32.exe	Fioija32.exe
PID 2836 wrote to memory of 2624	2836	Fdapak32.exe	Fioija32.exe
PID 2836 wrote to memory of 2624	2836	Fdapak32.exe	Fioija32.exe
PID 2836 wrote to memory of 2624	2836	Fdapak32.exe	Fioija32.exe
PID 2624 wrote to memory of 2472	2624	Fioija32.exe	Fmjejphb.exe
PID 2624 wrote to memory of 2472	2624	Fioija32.exe	Fmjejphb.exe
PID 2624 wrote to memory of 2472	2624	Fioija32.exe	Fmjejphb.exe
PID 2624 wrote to memory of 2472	2624	Fioija32.exe	Fmjejphb.exe
PID 2472 wrote to memory of 2104	2472	Fmjejphb.exe	Fbgmbg32.exe
PID 2472 wrote to memory of 2104	2472	Fmjejphb.exe	Fbgmbg32.exe
PID 2472 wrote to memory of 2104	2472	Fmjejphb.exe	Fbgmbg32.exe
PID 2472 wrote to memory of 2104	2472	Fmjejphb.exe	Fbgmbg32.exe
PID 2104 wrote to memory of 1456	2104	Fbgmbg32.exe	Gpknlk32.exe
PID 2104 wrote to memory of 1456	2104	Fbgmbg32.exe	Gpknlk32.exe
PID 2104 wrote to memory of 1456	2104	Fbgmbg32.exe	Gpknlk32.exe
PID 2104 wrote to memory of 1456	2104	Fbgmbg32.exe	Gpknlk32.exe
PID 1456 wrote to memory of 2668	1456	Gpknlk32.exe	Gbijhg32.exe
PID 1456 wrote to memory of 2668	1456	Gpknlk32.exe	Gbijhg32.exe
PID 1456 wrote to memory of 2668	1456	Gpknlk32.exe	Gbijhg32.exe
PID 1456 wrote to memory of 2668	1456	Gpknlk32.exe	Gbijhg32.exe
PID 2668 wrote to memory of 2376	2668	Gbijhg32.exe	Gopkmhjk.exe
PID 2668 wrote to memory of 2376	2668	Gbijhg32.exe	Gopkmhjk.exe
PID 2668 wrote to memory of 2376	2668	Gbijhg32.exe	Gopkmhjk.exe
PID 2668 wrote to memory of 2376	2668	Gbijhg32.exe	Gopkmhjk.exe
PID 2376 wrote to memory of 1584	2376	Gopkmhjk.exe	Gieojq32.exe
PID 2376 wrote to memory of 1584	2376	Gopkmhjk.exe	Gieojq32.exe
PID 2376 wrote to memory of 1584	2376	Gopkmhjk.exe	Gieojq32.exe
PID 2376 wrote to memory of 1584	2376	Gopkmhjk.exe	Gieojq32.exe
PID 1584 wrote to memory of 236	1584	Gieojq32.exe	Gobgcg32.exe
PID 1584 wrote to memory of 236	1584	Gieojq32.exe	Gobgcg32.exe
PID 1584 wrote to memory of 236	1584	Gieojq32.exe	Gobgcg32.exe
PID 1584 wrote to memory of 236	1584	Gieojq32.exe	Gobgcg32.exe
PID 236 wrote to memory of 768	236	Gobgcg32.exe	Gelppaof.exe
PID 236 wrote to memory of 768	236	Gobgcg32.exe	Gelppaof.exe
PID 236 wrote to memory of 768	236	Gobgcg32.exe	Gelppaof.exe
PID 236 wrote to memory of 768	236	Gobgcg32.exe	Gelppaof.exe
PID 768 wrote to memory of 2776	768	Gelppaof.exe	Gkihhhnm.exe
PID 768 wrote to memory of 2776	768	Gelppaof.exe	Gkihhhnm.exe
PID 768 wrote to memory of 2776	768	Gelppaof.exe	Gkihhhnm.exe
PID 768 wrote to memory of 2776	768	Gelppaof.exe	Gkihhhnm.exe
PID 2776 wrote to memory of 2804	2776	Gkihhhnm.exe	Gacpdbej.exe
PID 2776 wrote to memory of 2804	2776	Gkihhhnm.exe	Gacpdbej.exe
PID 2776 wrote to memory of 2804	2776	Gkihhhnm.exe	Gacpdbej.exe
PID 2776 wrote to memory of 2804	2776	Gkihhhnm.exe	Gacpdbej.exe
PID 2804 wrote to memory of 2220	2804	Gacpdbej.exe	Gogangdc.exe
PID 2804 wrote to memory of 2220	2804	Gacpdbej.exe	Gogangdc.exe
PID 2804 wrote to memory of 2220	2804	Gacpdbej.exe	Gogangdc.exe
PID 2804 wrote to memory of 2220	2804	Gacpdbej.exe	Gogangdc.exe

C:\Users\Admin\AppData\Local\Temp\8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\Ffkcbgek.exe
C:\Windows\system32\Ffkcbgek.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\Fdoclk32.exe
C:\Windows\system32\Fdoclk32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\Fioija32.exe
C:\Windows\system32\Fioija32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\Fbgmbg32.exe
C:\Windows\system32\Fbgmbg32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\Gbijhg32.exe
C:\Windows\system32\Gbijhg32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\Gopkmhjk.exe
C:\Windows\system32\Gopkmhjk.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\Gieojq32.exe
C:\Windows\system32\Gieojq32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\Gkihhhnm.exe
C:\Windows\system32\Gkihhhnm.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\Gogangdc.exe
C:\Windows\system32\Gogangdc.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2220

C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596

C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:988

C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1440

C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:448

C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2860

C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1292

C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2424

C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:772

C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2036

C:\Windows\SysWOW64\Hlhaqogk.exe
C:\Windows\system32\Hlhaqogk.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2952

C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2748

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
29⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 140
30⤵
- Loads dropped DLL
- Program crash
PID:2300

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffkcbgek.exe
Filesize
163KB

MD5
ffe4e18704833f4f836692b9dc26bee0

SHA1
f276ec8de824e9d248b5a560ad9c4b69d54e0e3f

SHA256
cac5d6137ff12e491f88bbb5bab8e190adf10410dd32a88aac64807c31466277

SHA512
3db2c3de77b5a48d0f1db8f788e9f3551e1432947dd9a1919178fb6c1e378d80c8004dc95b8f4bd4bf590f27fc4146416c8a46c7758187b6330e22f57c767839

Download Submit
C:\Windows\SysWOW64\Gddifnbk.exe
Filesize
163KB

MD5
250326045839483a454713f062ccee80

SHA1
3ab10d4560f7550ad02144c764f0fd0081b5dcb9

SHA256
e78b777125889b4d813d9c267961fc228beb3feca2dd230abcd15c72daf5ab9a

SHA512
16e28ba881b940d4fac65129cce2d9d1cfbe8657436aac7cd9ccb9024e2721e52f125670ad4501342bd2b46b3621d016e99923e0f428268e83cee30498960cc9

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe
Filesize
163KB

MD5
783ab98f0186cc1326d933512844f22a

SHA1
26a4122fdfe51b4c891c57b3b21cd6602ec6e773

SHA256
e84c7a76aa6af5d0d1d5efbccf3ec66961d78af2cbdada4e7c5d54379ee0e59f

SHA512
b00facb35573b7f360468914c8c952f50c183a338d3522992a1a3b90aac69c7c0a966422ed6882a297107f95f7344a6b9113c44aea6f978a80beaa056fe046fe

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe
Filesize
163KB

MD5
d5078f51ae5b6207336499190d0fda5a

SHA1
d0c04a95fef64f2e2744c4711899e1780e40c1c1

SHA256
b71f4cf2dc67a2e4df3141fad19e1d717fc5cadb9ab53178c68eb8b218a2e671

SHA512
a3241b73591f02ceff88c2e54b5c99e65664d8d62fefc00c57bc0bcb02d8e2fc2cf70b5e6b379c79d4bf11b6f915fc0a1eecd7bd8fd7edd62ca029bc3d562006

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe
Filesize
163KB

MD5
36b7d1f14567d018fb63c2de66d50d62

SHA1
0df7c8ac599fd80a2eafb0f8d9cbf8327410d9c5

SHA256
e95f1ea2ef1805dff3a13a979f30c6b9880dafadec8b4437a22bc29b626f4ac9

SHA512
bfef430dad495aea334825795c1ed969e54d8f9a4e66a31dd013755aef680701257012c346cd0c9feb107fd41b8c8238ca134fbc927dbdbc4976e73e3264d355

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe
Filesize
163KB

MD5
c054bdb0ef904017ce901f2bbd9a5724

SHA1
17be3359974c28718d6deeeb3fcf4d39ea6617d5

SHA256
a0cdfa64ed448ba1730be9cee94d6342b6aa35dca7b2ab6ed92aae904d7439d4

SHA512
bccde0f9dc66795d974b7c1e1a906f9908417d9fd77b4769d556f977fbaf2648cd2b70be5fbc2ed90fa46c985b886f5a777e1dfab10beafa43c6a2aeaac9fcc8

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe
Filesize
163KB

MD5
ca597ac004651e98041d76fbbdd2dfdf

SHA1
54591678f076ac4fd8ebbb549ff2648fee70a26e

SHA256
f90c077e771eda0a4f6c795e9e34330ec19e3e2dc9ab5dc105b9671a72d030ee

SHA512
f697fb654e44aa4352224342633d06cb7ed6e0c518705681f34f1f452098f319cb159175c9302b5cb255194ef278613a5b117978380b19b69dc3812ecb8ac937

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe
Filesize
163KB

MD5
baa34ec2673bbbc406131976de12f757

SHA1
561d8c7afc708b6824e08fd4131927e5ddb37824

SHA256
5800ff45471d3e703b9d2655977e840917cbb22c46eae02059621d0645a22b0e

SHA512
41888b998c2d913049d3176f95f4b6116ec479956394b21607276b9f43d95b706ab20591d50941add41a0989b201821467e556d46941266cf9f3bdda84f9f284

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe
Filesize
163KB

MD5
f3b0af6cda14fed08e8322319a647eb1

SHA1
0b015f10f16e28ce3335df656ca519a472b2b7d1

SHA256
cb4ab39ed70900027514a7ea5df91ec3873a4a10d191a0f2d862a29b771bcbb2

SHA512
1fdcfb7c4ebdc40785b72d5780d21fd2bddd694e0f969544c74b1aa2acbcf64f0449b21e06da2017397909a96794ce69ca563062fbc3d6c07ce6a77febe1db33

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe
Filesize
163KB

MD5
b1f372fc2d2f7638f0abff94b0559600

SHA1
570812436da169e2325aaddad940e29aa932c6c3

SHA256
57aa5b19969312ee64dfada111704131c276244c62fcd7cf94dac44689ba3a93

SHA512
4aecb6afb05ffe92c1d6f81bc818787619ab28d07892c312542168d2b79bcf58eeb0d00bed8558cde2f293c2015cd5f4e77ede9795cbb6ea4e6ce96fcd772336

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe
Filesize
163KB

MD5
eb451aecd32d70196a711eca14f1adb1

SHA1
b4b5dda2eea4c7ff3b9203e4eb3d8d5811332da5

SHA256
a84989945ba332c208a6e682e29e49453dc8796acdbc21496f37a91e19eb2ddd

SHA512
2e01e05fc9d9bc6bbfab83fefb758f1baaa3fbbffb7ebb1989471db23766065c7bc5feb57aa308e86ecf2712f7a229c689d73408ef89eb14e0c45d51532e0dc4

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe
Filesize
163KB

MD5
ac76b0632a8a0e3acaaed5533e8d35d8

SHA1
90b08378b42922ad9fb8fa8a101183624cc23f2a

SHA256
9d3175a7fa299790e95f5f4b9abd61dc5665c41b62488fde1e253e9a516d2ce4

SHA512
5f85e34884cae772a99e53bef255c5b949576acbabfbe85a3c19a85ce95bfa37678abe7379d32e94c3b027ae418dbb8f80c27093454ab384bf48079fe1d17e61

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
163KB

MD5
8da00f78950332b34749067711f97023

SHA1
21b595edf8840ea74d96437b2d32d188bc831d61

SHA256
021510abcd534d6ae42b08eb46f6f1c16e47d8d0ced16b849d345723ce99f150

SHA512
c28177f3c2a219b15593f7811592cbf395351a04595efe0f8c50736ac08878c050f6183189aa7366a7ae6d10be7271626a2f1f9f67584f39199e2116ddc9a152

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe
Filesize
163KB

MD5
f4937f43ec86b11d2df53cb04b9620df

SHA1
53d72be0b7a74b65f44650dbef68e9eaa0eed784

SHA256
e3aaa6fb6f580ba8dd316665712a1c98d23c1ccaebe686fe4b5aaa63cd602857

SHA512
45f48a778aa39d90c460f2e8eb5d5cefa448eed42b7c9e58891635a8f2d2e6e8bcdd1cadd0d0d318fe9a94232c669b50def31b3947fcf04ccaf003890c325bae

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe
Filesize
163KB

MD5
6407352f093c864a9700383e8a96e32c

SHA1
227eb07253c41ff603b9cc0ccf7c5f3173444558

SHA256
bf14d47c7b6f3201e8a096e58fbb96bb8250a48986d035745c388ef6b57a7058

SHA512
14468c0a4cb95e43a01ff96f6083a9b2603b060af9b3d41a9ff1c2390c8ab559045fe722cd7dd1c3ae9678f09c57e10d31e318c39160f0628a90b6c677731144

Download Submit
\Windows\SysWOW64\Fdapak32.exe
Filesize
163KB

MD5
ebf8c777b2c763d927684c496c02b6c5

SHA1
785c36623abd5395edd71c7b2aba2bc0c949a560

SHA256
1ddf6349b0c9f590ac819cc3b7d3a0dcaa432d58f4de1e49cb6c72bd51617e50

SHA512
8ce954d8effa9ad6dcae18793f292db5b4c6b194aaa0aab4fb4f1ffdff2842e221b84a6860895b3ab761e49cf5e28876639f828ffeaf1a910ff5ccc614ee9e5c

Download Submit
\Windows\SysWOW64\Fdoclk32.exe
Filesize
163KB

MD5
cac7dadc8c9400d5063a8edb8d26f2a9

SHA1
d3b8a38f46121a62d6d6ea9307c83df81278a590

SHA256
43c1f9dc15b60e3b8931282519883cb43f1891e925e3eb3b0d9fab7c153f166c

SHA512
ce6e974658182a8cbaeb8d67e484d58aed7c6a03c73abd4482b9060187fabbea2a113a3709052313b911ace37678c571768b3448c1ee8197d6ecf30364d01ee9

Download Submit
\Windows\SysWOW64\Fejgko32.exe
Filesize
163KB

MD5
b31eab3c7eadfbf47ce2bd89eacf2b97

SHA1
480274d02c6d1f5d61074f58d8f155b9fc4cf8a8

SHA256
49b976f8e5abf3a698f7707339ba484311345aac7edfce8a09f18bb07b6915ca

SHA512
9f582019cd660fee316ed7eaf0077f170a9a23c2973b76660b4f635ed16668cce2d72295e1fc7ad215a056d306fba845a3627b60bbda12e6b46ee9ed77463840

Download Submit
\Windows\SysWOW64\Fioija32.exe
Filesize
163KB

MD5
a58752f4c32ce0a6255b9fdb4c149211

SHA1
ef8aba76e1a7bc2661e717acd7352e3f043d508d

SHA256
d34fd716b272c9121d5e2e5254677f3a6b16d63b4091254c48092e87592ef39f

SHA512
03bc7addcc8733914f15a0505dc4cb550cbb636d9bfff83480e632bed734811145ed2c82ff55345eabb2500f46908f6198703ef95a0e68dd06097310c63b4686

Download Submit
\Windows\SysWOW64\Fmjejphb.exe
Filesize
163KB

MD5
74bdb9c299c2f7ae90f2543abfaf4894

SHA1
c50419455b8535256ccd1c92009da92700206d42

SHA256
7512a11113738d8438d3003cf888246f16cf46e18827188c58fd158d7a144b0b

SHA512
290f86962ff5e74f15cb2df073d51a25b3084e7883c5fd9111bc85a0ba71b37861f5c25b6b44a5e29d0fee8c38bfce7c33e0e3dc100f48cf1522e5e69caa3fb4

Download Submit
\Windows\SysWOW64\Gacpdbej.exe
Filesize
163KB

MD5
b3c1caaa412447089d9c9a4115b0bedb

SHA1
1373df0e8d971a09290ee8db81cd54f3257482e1

SHA256
469307f02c05f344b435fe085dde227f1c5882464685a56b4dc13697eec5ddc4

SHA512
1c9f06bc5539e0f8f3e9a76039546a3b2b5ac5139bd4ab36ea81c2172fba9605a90da042b11eee0c673a9c972390a0006d0c3bbc1deaf7133bc36cc45555a560

Download Submit
\Windows\SysWOW64\Gbijhg32.exe
Filesize
163KB

MD5
f75404a7fe9b70afc8eeb3cf0bec1326

SHA1
ad85ddc415e207759d0fedc9576cfd8b0f91b100

SHA256
8add80971197a79f60ad1385f54703d7118cf17fa4370b2f2ee5129f55d3d14f

SHA512
61679b8036384d092c2ec34445bd3cf7a4ca7d8c18a69b273d64d823fa7717acbf840a1f0a3e35d444c733ffa6a356824e95bf9d4e85c577e081c7e148c2e20a

Download Submit
\Windows\SysWOW64\Gieojq32.exe
Filesize
163KB

MD5
70f951722f6260db81b26b4ccc7e8af6

SHA1
ec9f816a0833180743f4b1760503a7a87c59966c

SHA256
93693fd7e8037e51850852c97aaa084272dba78ee5a66110de6f801d59766f18

SHA512
ee3fb46cbc476442b748c64110ea2bf95fd8d4cc4811b157c328752c6676a6aa3bc69936c0380495eefd6d6b9db9ec786764a030d224852536fe1b3c025f7ad2

Download Submit
\Windows\SysWOW64\Gkihhhnm.exe
Filesize
163KB

MD5
24826bf1ce1d976f8f7b6f53fbac82e5

SHA1
2bc93bc724c60e6e077cb98fe2c3dffa5e74998e

SHA256
b8bb196739ccecfcc18918ea6fed2e509a84c0e3173a3b9431f8f331fa133d46

SHA512
b5884cca1bd14311e4b211620671b6164927c5e882a82b43ed69f440f2fe6d20663cccf2b38d4306b28aaaa59793fd8b16bba62e84ae250a8f4e66e2d5bc69d6

Download Submit
\Windows\SysWOW64\Gobgcg32.exe
Filesize
163KB

MD5
64c41bf0379a62bf15e87b9f85d20dff

SHA1
f5c685b6b53d3ff80f41dfa9f103c5122951b9bd

SHA256
7d1fc740618c376f9a8f223bf926ca6e572dd9cc8eaa5117f4390dca6d6946a5

SHA512
01d0ee14ae99e6dcdc6edba4c2314611e5949f50b4f435ce3342dcce6b0e02b0abb6361584b348d7fa5e1284a07aed3ff9d886e31349e14b39e3069da25d7e9b

Download Submit
\Windows\SysWOW64\Gogangdc.exe
Filesize
163KB

MD5
73960457a1d552d02878f1f0e9353e24

SHA1
bbb049f96c599fb8b12b897c0e7ab86bc3e7e32f

SHA256
5968bd21ebce7b188ccf2635f643ac14b6f1a88ebb97c4f155214aba93faac7e

SHA512
5513df1ef2e145ac2a30762b4283a0677df615f47f2114f3a1eaae52448355a214be7703889af684448de53f6c643bb0f84a7345519a6644838674b989744619

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe
Filesize
163KB

MD5
4d4a52570ba584e63fc2df7f75ac5e5d

SHA1
30c035e5a7274ed2b5dce131ba84628a222d9cd4

SHA256
3902b2d884acc0032201fcc48aaa1e606bae2af0ed1518418865d197550cded6

SHA512
d6b4507ed0acd96f71691df23b39ac135bd2f23da9a4eb296ae7d0990f2222d566694ca32a4d43d161a56d4a50b73603d7a4194a3dc7d532b73b57fd39b1bab6

Download Submit
\Windows\SysWOW64\Gpknlk32.exe
Filesize
163KB

MD5
3aedf8787a29c45098e66761b94c491c

SHA1
f441649f0ae5181f771882dd5ffd24a68f82d4fa

SHA256
d16bd8108f5b9d0bc5556e0e8a94b27c98f4b457f151014e01c0c90f59f3fbc3

SHA512
81d90562f89b30b62628f4ed279efa04767515267d06a97e3c099e099596806f811dc3f6c47e61148230f68ec0727effb2c9b0813de580829468f60b9cc9f2da

Download Submit
memory/236-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/236-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-266-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/448-260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-444-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-265-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/768-182-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/768-430-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/772-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/772-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/772-308-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/772-307-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/988-238-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/988-245-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/988-440-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/988-244-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1292-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1292-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-255-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1456-420-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1456-106-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1584-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1584-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-234-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1596-438-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-11-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2036-319-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2036-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2036-318-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2036-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-105-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2104-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-218-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-224-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/2220-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-223-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/2376-424-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2424-301-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2424-300-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2424-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2424-450-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-416-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2544-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2624-414-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2624-66-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2668-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2668-422-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2668-127-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2728-52-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/2728-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2748-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2748-340-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2748-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2748-341-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2776-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2776-197-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2776-196-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2804-211-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2804-206-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2804-198-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2804-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2836-412-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-446-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-267-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-280-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2860-281-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2952-320-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-330-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2952-329-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2952-456-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2964-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2964-26-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2964-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads