239e40cd51b0744b1b9006853fc8853ca0c24c7983964d8f005dd7504318655d

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Size

487KB
MD5

4e1ad03b6e326a79c12c95b2b1630c80
SHA1

627bc9576575c0c92d0476cabc6ebc3893645cf5
SHA256

239e40cd51b0744b1b9006853fc8853ca0c24c7983964d8f005dd7504318655d
SHA512

7fc928cd5c19047bb854c6065c951c3b9f21f8caa340e457403f02cfa5c6dac3c50e1262766afddb0f214e9993e226ea2bfd384f5e9597c291988ec4a94cd0a6
SSDEEP

6144:F7v+sII2y/JAQ///NR5fLYG3eujPQ///NR5f:F7vZTx/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djefobmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflgccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enkece32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflgccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkece32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epieghdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe

Executes dropped EXE 40 IoCs

pid	Process
2488	Dnlidb32.exe
2620	Dgdmmgpj.exe
2116	Djefobmk.exe
2708	Emcbkn32.exe
2388	Eflgccbp.exe
2824	Ecpgmhai.exe
1452	Eeqdep32.exe
2680	Efppoc32.exe
2276	Epieghdk.exe
1536	Enkece32.exe
1020	Eajaoq32.exe
672	Eiaiqn32.exe
1244	Fjgoce32.exe
332	Fmekoalh.exe
1028	Fpdhklkl.exe
1128	Fdoclk32.exe
1660	Gfefiemq.exe
1284	Ghfbqn32.exe
1796	Gopkmhjk.exe
908	Gejcjbah.exe
2016	Gobgcg32.exe
1416	Gbnccfpb.exe
2840	Gdopkn32.exe
1680	Gkihhhnm.exe
2780	Gmgdddmq.exe
2600	Gdamqndn.exe
2636	Hpkjko32.exe
2524	Hgdbhi32.exe
2556	Hicodd32.exe
2868	Hnojdcfi.exe
2408	Hpmgqnfl.exe
2496	Hckcmjep.exe
2304	Hiekid32.exe
2280	Hhjhkq32.exe
1544	Hodpgjha.exe
2160	Iaeiieeb.exe
1904	Ieqeidnl.exe
3000	Ilknfn32.exe
2224	Iknnbklc.exe
1004	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2864	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
2864	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
2488	Dnlidb32.exe
2488	Dnlidb32.exe
2620	Dgdmmgpj.exe
2620	Dgdmmgpj.exe
2116	Djefobmk.exe
2116	Djefobmk.exe
2708	Emcbkn32.exe
2708	Emcbkn32.exe
2388	Eflgccbp.exe
2388	Eflgccbp.exe
2824	Ecpgmhai.exe
2824	Ecpgmhai.exe
1452	Eeqdep32.exe
1452	Eeqdep32.exe
2680	Efppoc32.exe
2680	Efppoc32.exe
2276	Epieghdk.exe
2276	Epieghdk.exe
1536	Enkece32.exe
1536	Enkece32.exe
1020	Eajaoq32.exe
1020	Eajaoq32.exe
672	Eiaiqn32.exe
672	Eiaiqn32.exe
1244	Fjgoce32.exe
1244	Fjgoce32.exe
332	Fmekoalh.exe
332	Fmekoalh.exe
1028	Fpdhklkl.exe
1028	Fpdhklkl.exe
1128	Fdoclk32.exe
1128	Fdoclk32.exe
1660	Gfefiemq.exe
1660	Gfefiemq.exe
1284	Ghfbqn32.exe
1284	Ghfbqn32.exe
1796	Gopkmhjk.exe
1796	Gopkmhjk.exe
908	Gejcjbah.exe
908	Gejcjbah.exe
2016	Gobgcg32.exe
2016	Gobgcg32.exe
1416	Gbnccfpb.exe
1416	Gbnccfpb.exe
2840	Gdopkn32.exe
2840	Gdopkn32.exe
1680	Gkihhhnm.exe
1680	Gkihhhnm.exe
2120	Gacpdbej.exe
2120	Gacpdbej.exe
2600	Gdamqndn.exe
2600	Gdamqndn.exe
2636	Hpkjko32.exe
2636	Hpkjko32.exe
2524	Hgdbhi32.exe
2524	Hgdbhi32.exe
2556	Hicodd32.exe
2556	Hicodd32.exe
2868	Hnojdcfi.exe
2868	Hnojdcfi.exe
2408	Hpmgqnfl.exe
2408	Hpmgqnfl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Dgdmmgpj.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Eflgccbp.exe	Emcbkn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Odbhmo32.dll	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	Eeqdep32.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Fpdhklkl.exe	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Dnlidb32.exe	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Emcbkn32.exe	Djefobmk.exe
File created	C:\Windows\SysWOW64\Fjgoce32.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Eajaoq32.exe	Enkece32.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Dnlidb32.exe	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Dgdmmgpj.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Lpdhmlbj.dll	Efppoc32.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Dhflmk32.dll	Dnlidb32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Bibckiab.dll	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ecpgmhai.exe	Eflgccbp.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Eeqdep32.exe	Ecpgmhai.exe
File opened for modification	C:\Windows\SysWOW64\Epieghdk.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Lbidmekh.dll	Epieghdk.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	Eajaoq32.exe
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Fdoclk32.exe
File opened for modification	C:\Windows\SysWOW64\Eflgccbp.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Eeqdep32.exe	Ecpgmhai.exe
File created	C:\Windows\SysWOW64\Epieghdk.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Fpdhklkl.exe	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hicodd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1656	1004	WerFault.exe	68

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll"	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll"	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emcbkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll"	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdmmgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eflgccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll"	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll"	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gdopkn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2488	2864	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe	28
PID 2864 wrote to memory of 2488	2864	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe	28
PID 2864 wrote to memory of 2488	2864	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe	28
PID 2864 wrote to memory of 2488	2864	4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe	28
PID 2488 wrote to memory of 2620	2488	Dnlidb32.exe	29
PID 2488 wrote to memory of 2620	2488	Dnlidb32.exe	29
PID 2488 wrote to memory of 2620	2488	Dnlidb32.exe	29
PID 2488 wrote to memory of 2620	2488	Dnlidb32.exe	29
PID 2620 wrote to memory of 2116	2620	Dgdmmgpj.exe	30
PID 2620 wrote to memory of 2116	2620	Dgdmmgpj.exe	30
PID 2620 wrote to memory of 2116	2620	Dgdmmgpj.exe	30
PID 2620 wrote to memory of 2116	2620	Dgdmmgpj.exe	30
PID 2116 wrote to memory of 2708	2116	Djefobmk.exe	31
PID 2116 wrote to memory of 2708	2116	Djefobmk.exe	31
PID 2116 wrote to memory of 2708	2116	Djefobmk.exe	31
PID 2116 wrote to memory of 2708	2116	Djefobmk.exe	31
PID 2708 wrote to memory of 2388	2708	Emcbkn32.exe	32
PID 2708 wrote to memory of 2388	2708	Emcbkn32.exe	32
PID 2708 wrote to memory of 2388	2708	Emcbkn32.exe	32
PID 2708 wrote to memory of 2388	2708	Emcbkn32.exe	32
PID 2388 wrote to memory of 2824	2388	Eflgccbp.exe	33
PID 2388 wrote to memory of 2824	2388	Eflgccbp.exe	33
PID 2388 wrote to memory of 2824	2388	Eflgccbp.exe	33
PID 2388 wrote to memory of 2824	2388	Eflgccbp.exe	33
PID 2824 wrote to memory of 1452	2824	Ecpgmhai.exe	34
PID 2824 wrote to memory of 1452	2824	Ecpgmhai.exe	34
PID 2824 wrote to memory of 1452	2824	Ecpgmhai.exe	34
PID 2824 wrote to memory of 1452	2824	Ecpgmhai.exe	34
PID 1452 wrote to memory of 2680	1452	Eeqdep32.exe	35
PID 1452 wrote to memory of 2680	1452	Eeqdep32.exe	35
PID 1452 wrote to memory of 2680	1452	Eeqdep32.exe	35
PID 1452 wrote to memory of 2680	1452	Eeqdep32.exe	35
PID 2680 wrote to memory of 2276	2680	Efppoc32.exe	36
PID 2680 wrote to memory of 2276	2680	Efppoc32.exe	36
PID 2680 wrote to memory of 2276	2680	Efppoc32.exe	36
PID 2680 wrote to memory of 2276	2680	Efppoc32.exe	36
PID 2276 wrote to memory of 1536	2276	Epieghdk.exe	37
PID 2276 wrote to memory of 1536	2276	Epieghdk.exe	37
PID 2276 wrote to memory of 1536	2276	Epieghdk.exe	37
PID 2276 wrote to memory of 1536	2276	Epieghdk.exe	37
PID 1536 wrote to memory of 1020	1536	Enkece32.exe	38
PID 1536 wrote to memory of 1020	1536	Enkece32.exe	38
PID 1536 wrote to memory of 1020	1536	Enkece32.exe	38
PID 1536 wrote to memory of 1020	1536	Enkece32.exe	38
PID 1020 wrote to memory of 672	1020	Eajaoq32.exe	39
PID 1020 wrote to memory of 672	1020	Eajaoq32.exe	39
PID 1020 wrote to memory of 672	1020	Eajaoq32.exe	39
PID 1020 wrote to memory of 672	1020	Eajaoq32.exe	39
PID 672 wrote to memory of 1244	672	Eiaiqn32.exe	40
PID 672 wrote to memory of 1244	672	Eiaiqn32.exe	40
PID 672 wrote to memory of 1244	672	Eiaiqn32.exe	40
PID 672 wrote to memory of 1244	672	Eiaiqn32.exe	40
PID 1244 wrote to memory of 332	1244	Fjgoce32.exe	41
PID 1244 wrote to memory of 332	1244	Fjgoce32.exe	41
PID 1244 wrote to memory of 332	1244	Fjgoce32.exe	41
PID 1244 wrote to memory of 332	1244	Fjgoce32.exe	41
PID 332 wrote to memory of 1028	332	Fmekoalh.exe	42
PID 332 wrote to memory of 1028	332	Fmekoalh.exe	42
PID 332 wrote to memory of 1028	332	Fmekoalh.exe	42
PID 332 wrote to memory of 1028	332	Fmekoalh.exe	42
PID 1028 wrote to memory of 1128	1028	Fpdhklkl.exe	43
PID 1028 wrote to memory of 1128	1028	Fpdhklkl.exe	43
PID 1028 wrote to memory of 1128	1028	Fpdhklkl.exe	43
PID 1028 wrote to memory of 1128	1028	Fpdhklkl.exe	43

C:\Users\Admin\AppData\Local\Temp\4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\4e1ad03b6e326a79c12c95b2b1630c80_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\Dnlidb32.exe
  C:\Windows\system32\Dnlidb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Dgdmmgpj.exe
    C:\Windows\system32\Dgdmmgpj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\Djefobmk.exe
      C:\Windows\system32\Djefobmk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\Emcbkn32.exe
        
        C:\Windows\system32\Emcbkn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Eflgccbp.exe
        
        C:\Windows\system32\Eflgccbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ecpgmhai.exe
        
        C:\Windows\system32\Ecpgmhai.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Eeqdep32.exe
        
        C:\Windows\system32\Eeqdep32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Efppoc32.exe
        
        C:\Windows\system32\Efppoc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Epieghdk.exe
        
        C:\Windows\system32\Epieghdk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Enkece32.exe
        
        C:\Windows\system32\Enkece32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Eajaoq32.exe
        
        C:\Windows\system32\Eajaoq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Eiaiqn32.exe
        
        C:\Windows\system32\Eiaiqn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Fmekoalh.exe
        
        C:\Windows\system32\Fmekoalh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Fpdhklkl.exe
        
        C:\Windows\system32\Fpdhklkl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Fdoclk32.exe
        
        C:\Windows\system32\Fdoclk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        
        PID:2120
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        42⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 140
        43⤵
        Program crash
        
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Djefobmk.exe

Filesize
487KB

MD5
41ce2a0991e3f5808810689b8c9063e3

SHA1
fee9b5d4abd0b67149d2eaeaa8320b76ac14075a

SHA256
8027a8979357bfdf0348bcbe0a2a8eda1a01d196f0f883d36e78807004d4b303

SHA512
256f301c9cfaaf397f9c77531653c37df66288809a77565917431748e07ca5e6be1c7661a49c3e9866700d2adab9a87104267a6e600df7c8e7541fd3c94d060d

Download Submit
C:\Windows\SysWOW64\Eajaoq32.exe

Filesize
487KB

MD5
6be761f43e01a3dfd498d712ff20d737

SHA1
1781c802f33159607150af2cc8e2ca257cb4bbff

SHA256
acd07d1ff64b1f45dfc32829493dfa31aa7210bc4944fd5278a63936e695c006

SHA512
72a877f8f068259fd40c1cee0b4d220e1d1623e41b7179a072eccf51b056d763e34a689ff061a2702c727894ebe5cd18d7db9085da49f18394b600f1a550a2da

Download Submit
C:\Windows\SysWOW64\Ecpgmhai.exe

Filesize
487KB

MD5
ba3f6ad85cd42716c530a5667b4103bc

SHA1
16866ab5de2e6cfd1b27beef737bb3b0543690a9

SHA256
be16fe2060bfd32fdcb3984e0afdc96c9f37bb34f3386ef8bb4c75f2c594ca57

SHA512
3524d634792b70834e5145d40eebc9783638e137f3767eb0fc94c933cc224963d67622bb389c3033df6bf478b57387188c55f3fb9ffbecffddd3cd8cd461931e

Download Submit
C:\Windows\SysWOW64\Eeqdep32.exe

Filesize
487KB

MD5
7c7173bdc2c50cd0571b29b5ef550436

SHA1
85e3b289c6043a2599a668cae966e669cfa3f9e2

SHA256
64bee9edef2a681b4bfff4bfab9c7857cf033eeda7eb389730a150fb6c687436

SHA512
97abe230a03c0057ce3c0002295616cef4fff2914500d2b6852a0350a8cedf2d278695aeaa84b0161ce2dfb7250e531af2559c34d183fc7c221be228d33c6f24

Download Submit
C:\Windows\SysWOW64\Eflgccbp.exe

Filesize
487KB

MD5
0a75fcec4d0a8b5b1bbec3ee4e6f752e

SHA1
666b7175711c1bf73fbb351d6398adc31b2e4e58

SHA256
372237cbadd04c765c55ab513f67abd3868dbdedb1ab44b623b114674cd1fb4f

SHA512
52248a8abf9e9791ea6931e53d7eb310d2a357006c68bbe4486010168ea426c7c37f7f4d31812d26622b3a29a469c37af90fd542321c8f684ca4858a32ea37df

Download Submit
C:\Windows\SysWOW64\Efppoc32.exe

Filesize
487KB

MD5
ff09bd2d9a923b5c4b2882a0fe0910d4

SHA1
3554acf67da823341e5d37bd3985ef20a397c525

SHA256
03d5e253dbf0510d9d10ad53f45724ba1ddaf350c31e8699b7a3ac6cb0a6ad75

SHA512
52dda804682619a2f32127a6375de497ccc5efedf103c91b84c8cc60dac6af171bab0983d4c2e8cb413333534f7563676d4b35879f7880dc18b604b8c83a40b9

Download Submit
C:\Windows\SysWOW64\Eiaiqn32.exe

Filesize
487KB

MD5
6d9777ea80640110febe675cabd8a7c9

SHA1
f406af1707ee567c908ec3f5ab551a20431e054f

SHA256
eb10a8618c83e5f4b1d95cee445a137b4983e2e51e90773260f843521db0b0d3

SHA512
2d4f673890af7fb281813c0b47b6c9d8aecd87949a756851b324ce5cc77d2336d9393081fc5dd2aacbf41e1de5d4b2924450466407e44c06747927fa8037a880

Download Submit
C:\Windows\SysWOW64\Enkece32.exe

Filesize
487KB

MD5
783976305491e4c78ce038026cd612c3

SHA1
cf82f03be0e50ff75c4bdbdc4377d84ad5f72aed

SHA256
e12305b59352ea201092d1b3afc6f9196510ce9366a1bb8ceda421ab5f0aa7b2

SHA512
e5bb702ba4efd68a3d6a11d0432885672f53c0618b138ecf895255ad388e48104a5eae4587de10437b59dd39ecb2cb990caeec179756951791bd0bdb76f09797

Download Submit
C:\Windows\SysWOW64\Epieghdk.exe

Filesize
487KB

MD5
52ae9acb48c6f97d222afdac25866e60

SHA1
903a91db4cf696be35b70210d2af2996cfb0731b

SHA256
0fe7bdb67b177c13824fbebfd6b13a42ed14deb6ab6e1546948b8941002f7b7f

SHA512
ec2c699813890c08219404bd0706aede6f596a04ab539cd715fb160de755fe35892731978927ced65255f4679cda18ff425a52a24bbaadf5e7d3229b572fde92

Download Submit
C:\Windows\SysWOW64\Fdoclk32.exe

Filesize
487KB

MD5
7871ddf28d77caddac3c3e2b3ce298d7

SHA1
fcf94faf28d6933df36cdf61352fd2151ccb6301

SHA256
94033d5813aa7efb612b3aca60146b03f3544901f09ecd3782076e668140fb95

SHA512
b056de9ea0b1dd627ba0bc1db109bc8fa586a21f6c24d36dd6b6084215947b73b575872fc72404442530d4db1f890291d91c0d7bd7d9783f8d51941a1a35ae3a

Download Submit
C:\Windows\SysWOW64\Fjgoce32.exe

Filesize
487KB

MD5
96c0fe98576242e8ff28128afd6be5ac

SHA1
648314cfab062aee57ac6b957284e0bb35e871a5

SHA256
28f1f9d12db3b1ae9b3b50eb4012381f81c4a2851e33df795bd897341b29ab5c

SHA512
b97f54b1ba923477430b3c56fa6839029926fe1baba82013e6f422686230361af920e8e70db50ed492fa257b3c1bb1439d43f6ce7f87301cfb97e0de9ea28218

Download Submit
C:\Windows\SysWOW64\Fpdhklkl.exe

Filesize
487KB

MD5
45fb816f980adef9b2c6c5fdd9d4db1a

SHA1
8e3eb9f927eac0698681a0b40d2ffa286c1c9b23

SHA256
91421d90348b1fc36cd54d6f8575c40da9d0a2c83e255d373293e1294050a0dd

SHA512
00c21edff38cfb1bb81df3411c9605a9738a51e680bd5c2157362ffa32069c3ab531b5d4fb14c4a49e3dba6e3b244ff3e0c1fada70695d8697436a7e3aecf4a5

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
487KB

MD5
9f59d93de63d2e45e0e8eb8e0606427b

SHA1
f70bbb06c1accdd5db8ebf9450a8013b6234ff07

SHA256
4a9cd996c06b975d008484bca8d6cce4fc622d21e8bf9cdd2c92242585618127

SHA512
eeb9b19b527749e935f52750f6578373ee6157e8a1cfb51ed966765b8d72c27a7b206289a464bce817f8c4b98a36064ea205d1dacc6e416cbf1819cbcf489f79

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
487KB

MD5
c5d8cbfa88938b5e7dcdc88281271598

SHA1
f2ca24ef30d3b277d77b68787a5b6b1ea4ced22c

SHA256
7f0e5fc4f7b83ccaf31691dbf8f45d49edfaa92dbecb8dad25dd23fc68779859

SHA512
c2cba9e7cfd0df3155a9e834975021a8b52db9cdbbd0c4a29008bd45bdd2e5d9ca44f7224eef2ae4a7a05988db2df91596a991df6547dd82ffc6b2f91c8e501a

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
487KB

MD5
f75adc2a1f7d147673a0e815e2822d46

SHA1
8e24e6d1cfdf1996bb00ffcef50822efebb4670e

SHA256
dde9e6dd89d0f74946c6b5615b85897c587f93da7910b01f132890c4f96ecfea

SHA512
a3f69fecf30050b310e53b55219a34a489cbd985b1ba1bee2530f7559e9a7f01cceaf8e7ae81021fd8c38281222d468f025fac2f659cf6640db33e09da65ef0e

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
487KB

MD5
81f5c4f133a045a2c1f448f3f1baef2b

SHA1
666337a68592496b8e5579ea1740c54defabbbc6

SHA256
47de6392513d95dd0c42468f5ec130535f6346db530756eba86bde600fde139c

SHA512
97d4d568e8585d389fbfa059f2dcd73c5c05382ce47ce4da64544c2a5d4f41156cd7c0ffbc079bf49adb6351de74e9db5b7d638c2c503c0d47759887d4942e83

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
487KB

MD5
b4cff0281e876539c3a53d13a0b1cc7b

SHA1
0a68d680c3c075c95567fdddd43cbc3bccde14f1

SHA256
8301b287ea433aac9442560969cd5f468965d57110b4feb39c9ba5a0ccebacea

SHA512
8c1c16f1bf5f6364e17ac81bca8af8bc6674fd9ee6e2d73664c2452e90c7fa531f7b2787c72bf167f6dfeee03540570234529e34a3c53832d3d110a1b34669e6

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
487KB

MD5
7609ccf9732320226af145f49af35acd

SHA1
9d2ee1d4b38abe0937ffdcec4b0d91a6b630fd7d

SHA256
4dd33fd3bd6d1662739819ddfba0a9e47893d68be0f8b5a930f4c658e7a7c274

SHA512
a0e46e1e08ad8e9f42eb798dd2af333aa691c5c00dddcd09f7784ac87d8a64940680d74f702202865e6e5d11bc006a717d0bcbfb2e0abaa92a1363ba5caa6f6f

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
487KB

MD5
e9d226239a8b0054dbb1c2ebc266d2a2

SHA1
d935c0356fdd8e1566baef5e33f7f577354623c4

SHA256
67c78060c09ad1375680aa29b9a0c5342148ca33150f7aad0fb39123b2b6a263

SHA512
4f56d928c77aa1acef2ad1b7bbffa0923586322496af219f383d57c4801f3741c608c9673113890503a95b1b001e00ef601665b639c961a89490172f3b1aaf7e

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
487KB

MD5
439ab17d548965388dcafff49efb56e8

SHA1
ab087896a348188e8683d709ef3b81355d312568

SHA256
346c6228e94ef2d6a0abf944b8b1ab4c8fc1665bdaf703a08db2f9a966ce7056

SHA512
36aa31e4244be4c7e5c30233759e482ff1c4581c0dd4c03db152cb4379224bb4aeab885b7c367d514454896f288d247a2e3a3ace25b9742ff861ebcab6899a97

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
487KB

MD5
296d973de9a3e2d796bbd8602c0b861b

SHA1
5676423ff412f04afd6a54f8a96af5ee504daa09

SHA256
9c71ea9c091342bbb8d636daa8d5d45362417895ac20b13bb12d0d7c7a2553fe

SHA512
0994da5abce225e1b5d12a108667d9112e18dad505625450e97cdb7a91edf1cf2c525a21dc2fb941631e8501ff8e6076b7e01ebb1705c0f91367ccb3b77c7d4a

Download Submit
C:\Windows\SysWOW64\Gopkmhjk.exe

Filesize
487KB

MD5
8a0dd7427d7a2d632ff33a42879e40c6

SHA1
093e425fcd12f88b296c5d946a715bf88b501b68

SHA256
5c164d4e358e50ed4af116950210eccb54509bf07bd965b2da025c15fb6e5e7f

SHA512
34592f95c51cd0b95a739237619e4fac9a5e71244b2d6036815c3747b1bbd831b11e37a7a207b64d5566e491babe75c647b21b8ed24833925849bb889da2c840

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
487KB

MD5
2f5f8f2daac23d8cf375a91dfcd0d253

SHA1
e10c9672858d10b3f5c35fd8f24fcdb39d2eb8d9

SHA256
bfd8ec1581814b010f4210b11f0880ab14b415da6be3c867a32e758bca962cbc

SHA512
4c75127decc095c41dc01d2f48db2394d8466c5b95f874e37988ac2ecf2cd2e878d9326c08122f701cbf328a76c526b2cdfb6f9ad4a017cd9335f816c9f23d4c

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
487KB

MD5
050ed7c7403af0277a89805ca44f4cea

SHA1
b0cc465c487e5609f202305ea7473a7d6265d034

SHA256
b6732a75efce94811d3044a7472ebec00dd9e25d533ff25545aac44bcc63444f

SHA512
a4051e47bc74c58720a579113f6f8cad6e51a199a63199f4987db5c62cd6026b7076b68d4bce91f6f65fd8a73a4e3f49f7e472fdefd460ad93e8da500e7e5c25

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
487KB

MD5
9a4defcafddd0998fc1fc4a5f165ae25

SHA1
9be75a03f081c5e13b096c17e674730ae9cd8376

SHA256
0575a976c94f115b6bdc4dd4589f52036279f4eb0cf0ddb8c92369f4938cbec0

SHA512
80c087cf3e7d8f950d2d102e3561d7778d59da435b64d464e389e03af209e703e2063fda56e471a0f22b57aae36b80e900470e430176db6910335784c626668b

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
487KB

MD5
d0bf9238f5aef6b39e29ca0d8fd4c161

SHA1
fcb66c9f5515284f815671c40202d74e5ca9744a

SHA256
53b439bf94f2b0953305c11cbabfcd0f410b7f0f4be68b5c77e2ee4680725aa2

SHA512
ff40beea705a33dd255374393d8ce773b2158822ca911fcb5f64f1205b05319489411185681d4e20ed42bc27b3fa2152c5500ad28d931c9c2e7ef6badc8f7a91

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
487KB

MD5
a579845cbd6fc3df7bd4f62138847def

SHA1
942fff721d53a92f961bc0e992012a9ec1bde565

SHA256
33bba89f6af09019542ec49b3eaea6aa109981d649ae9431cc05cf94e50394fb

SHA512
58477809e59b9c900306a28aeb8d6b82d62a38d243e187904679b39c426f2eb0aeadd4bc02d0f54268f2fa0054a5be771228193698a8aa04cf0aaf8deae5b992

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
487KB

MD5
b350a525a1d70050dd248bac8647c013

SHA1
e993c53e9ab7d9e902380dbaec533188e2bfd5d4

SHA256
ca2163ecd4fd7c184f26cf5ad95980df5645c0cfddc3500f623fbe61bb516de8

SHA512
1779375fa28de50069d6f98e7f934a85cf4f760491be64a26a615705386a4c780a94c62a27ce5777da357d7776bc20fea8a9fd12110d01ce7028936c9436e1aa

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
487KB

MD5
a5bfe4de217ac01f1f9571d32c105f42

SHA1
7559e10b5ca0e7daf06ac8b9f01371145335e08c

SHA256
3e7860065f0838abcacc2b6f8678e870c4e40c106b4d9b01e93e9775a1f17a86

SHA512
b010e0f34499cf3803b5ceb3de9781c36c6518f1df30bc46aa4774f106fb6609596029840d01ba88c2fae49598619c4143b4642b37c7692357437366ad682b3b

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
487KB

MD5
66ad7518a63cf70cd3e0b0cb68099218

SHA1
ef846525f6029d642af1cb7623ed2fc90c14e35a

SHA256
1939a43393c517ba410dd4748911c8dfe9f56dae5f054ff07630b6f1be784f7e

SHA512
1475a3a69fda269ada6bd7ebb75262bad6ded3f211973bbe8f72b8e5e3518ff615091b552fe3d3cf4b506cdc783b154e060d4e511a2f02adebdb253fb01eafb7

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
487KB

MD5
e5418e608b0ee15817eebccb33a0f81e

SHA1
4964f80e071fe25ad9aefd95304fb70780a8f05b

SHA256
42bf2dd97243ed6e5d23bdbe08dcac2dd0bc1a7098ab397a442f3e6110a6a64c

SHA512
29ca878dc13348e90dcc122feb64f169e5306928aae2cec135b011b3b2d5b0d73c5cfb6b5d42ba36d4d78460e5033eb4b6871c440bc264d5c77d008fa7970827

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
487KB

MD5
580a53602b37860e3f7f9eeeccff7855

SHA1
ec00e135b966772116a69ff7a9b51c895d939f98

SHA256
435e782787083ee6de9cf1c835ef1fae8c542224b7c434136207960660e183bf

SHA512
59dd6878b028522c3c80e71a1276d548edc048bfc900e7193ff5ddeb232c02b108fc7785e24b018446a4770ccfc47cf0ebcf5eac279a5fd7743edf1fc57e0235

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
487KB

MD5
5d0a9b575e28e8f41cd617858c71c640

SHA1
37aefb8b03d7b9ca6f8c90470aee9b1eb59215c2

SHA256
28ad53defed279d1862c7761ebe7ce785f2cf3d05cc312ced3a3a710993f566e

SHA512
209c8694aa427ea7d07b34be18a79ad6b5de48e3dc69b1071955d622ff25f82edd7a1e6fa9ec50051578a2319dfb4c8fc083c4419f2ec44baa3625e003106915

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
487KB

MD5
f454c0d07c35f1666f599eb5b9c0f815

SHA1
3835fe1f48f55b70146d7839c2544f2e9c04285c

SHA256
fb2f34520708f1d8fc77ee7fc272081940ffeb1638cf8d6fc31b46313722f0d9

SHA512
9e243540168484827cd47612dbfd27aa65371bde912957d803ceb0a16555ab3d88aefed315b88d3cd3798df4fe5a4765d35c7ad20a9b5915fbc9aaf2db3e3ad1

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
487KB

MD5
a383d2fce5488b530dca25d641ab9b89

SHA1
96a72e56be71263618deebb172a3d65263454351

SHA256
3aea9dfae2981c9cc4f2b2ec2f0821ffe1fa46d45ca3643c496ee17f306ee286

SHA512
fcd24888e0fd8bd0f6621d7d7bc4819d46823a71a72a661d58a240f94939fdaaa217a38357ec475b0b4192d4864347df7aba561126a71011770e31c993349fd6

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
487KB

MD5
6f593e4e8c8f97d34e099dd316bc2a77

SHA1
c58c4f208e195c7c6e02f5e0799056ec0482daeb

SHA256
d4716bfc0cb80e1bf8eec23d6e8bce26a4da4521aa20a359010eef6ab10d523f

SHA512
403e03325e6beb36bcb1985bd393068d3a2ef0eb2433a237d9ba22a6dc251628feba1609c50d4668d0dc2be60cdbb250b21f62a8709a25c81508332f4b477315

Download Submit
\Windows\SysWOW64\Dgdmmgpj.exe

Filesize
487KB

MD5
8aa56585bd3b04dde16d98709333866b

SHA1
66e61a43ab2c44aa111127962afd409abb0fbe63

SHA256
c452638129f5e70ff68d6a32104602282eaa0cfe8ccf3c3b6ff2e45cbefab3a7

SHA512
12147557bc3dd4c62a571290c8eebac538f4c26f8c510a69aaf4d92a79097a12e554d8ed2d3fef2951953e6f35247ce600eba4acf66cbaedd0ad9e1773a74ef1

Download Submit
\Windows\SysWOW64\Dnlidb32.exe

Filesize
487KB

MD5
51759c0fc0568ef07556acbfcd3dd96f

SHA1
3de3ea58afec604eb38b32bf4f3bd89174a1232f

SHA256
4a789ecd0bd181e107f5142859a95d82a8320dd2ca99a7ebff0d64902573a14e

SHA512
7f5e417091cf9ee5397732c3da9abbb68793cf06743c9703c4db1172a0161e531593562faba8bb34c6f4614fc8e6493c4cd5595283b65578ab8940a188c42f45

Download Submit
\Windows\SysWOW64\Emcbkn32.exe

Filesize
487KB

MD5
3d856953791ce7b189b1a5fdf15e0bb0

SHA1
542cef52a4357f49ced212cbbd2b24550cd79cdf

SHA256
1047e18100a4c489e40e63bad079e57fa91c31f370b5834f8b637669c170c421

SHA512
ad8ddca1bcdf79c18c81db0e80c35687a42007cb41d2b57502a3baecf692acac411fd1699fb235c3eea57d0e87ccbb52e3224703db9e6a6c90f24f831d0ac1d2

Download Submit
\Windows\SysWOW64\Fmekoalh.exe

Filesize
487KB

MD5
20fd8ac6724af9a78fe49bfbbcd8e60a

SHA1
1840b3d022af1e990c17a3f2d0f7fe50192fec0c

SHA256
d632f33b092a2285efbb731948e93ace9d3e3d38cc717c870af3abe623bdaa47

SHA512
27d62b8f601276bdd059db922fa6f1dd915adbd53817d06cd121e81b467b9fb4630db32d5fcb8a848d7a13c634e4cc4dd7a44cadbbfeb0fe2f2ab06cafaefe8f

Download Submit
memory/332-212-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/332-201-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/332-209-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/672-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/672-180-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/672-179-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/908-275-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/908-280-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/908-279-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1020-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1020-165-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/1020-163-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/1028-225-0x0000000000350000-0x00000000003CB000-memory.dmp

Filesize
492KB

Download
memory/1028-224-0x0000000000350000-0x00000000003CB000-memory.dmp

Filesize
492KB

Download
memory/1028-210-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1128-236-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1128-226-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-196-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/1244-184-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-194-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/1284-254-0x0000000000260000-0x00000000002DB000-memory.dmp

Filesize
492KB

Download
memory/1284-252-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1284-258-0x0000000000260000-0x00000000002DB000-memory.dmp

Filesize
492KB

Download
memory/1416-301-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1416-302-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1416-292-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1452-107-0x0000000000320000-0x000000000039B000-memory.dmp

Filesize
492KB

Download
memory/1536-149-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1536-150-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/1536-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1544-438-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1544-451-0x0000000001FC0000-0x000000000203B000-memory.dmp

Filesize
492KB

Download
memory/1660-250-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download
memory/1660-237-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1660-251-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download
memory/1680-324-0x0000000001F70000-0x0000000001FEB000-memory.dmp

Filesize
492KB

Download
memory/1680-323-0x0000000001F70000-0x0000000001FEB000-memory.dmp

Filesize
492KB

Download
memory/1680-319-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1796-273-0x00000000002F0000-0x000000000036B000-memory.dmp

Filesize
492KB

Download
memory/1796-259-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1796-272-0x00000000002F0000-0x000000000036B000-memory.dmp

Filesize
492KB

Download
memory/2016-291-0x0000000001FD0000-0x000000000204B000-memory.dmp

Filesize
492KB

Download
memory/2016-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2016-290-0x0000000001FD0000-0x000000000204B000-memory.dmp

Filesize
492KB

Download
memory/2116-54-0x0000000000250000-0x00000000002CB000-memory.dmp

Filesize
492KB

Download
memory/2116-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2120-336-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2120-343-0x0000000000350000-0x00000000003CB000-memory.dmp

Filesize
492KB

Download
memory/2120-342-0x0000000000350000-0x00000000003CB000-memory.dmp

Filesize
492KB

Download
memory/2276-129-0x00000000006E0000-0x000000000075B000-memory.dmp

Filesize
492KB

Download
memory/2276-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2276-135-0x00000000006E0000-0x000000000075B000-memory.dmp

Filesize
492KB

Download
memory/2280-427-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2280-437-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/2280-436-0x00000000002D0000-0x000000000034B000-memory.dmp

Filesize
492KB

Download
memory/2304-420-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2304-425-0x0000000000260000-0x00000000002DB000-memory.dmp

Filesize
492KB

Download
memory/2304-426-0x0000000000260000-0x00000000002DB000-memory.dmp

Filesize
492KB

Download
memory/2388-73-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2388-80-0x00000000004F0000-0x000000000056B000-memory.dmp

Filesize
492KB

Download
memory/2408-399-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-403-0x0000000000320000-0x000000000039B000-memory.dmp

Filesize
492KB

Download
memory/2408-404-0x0000000000320000-0x000000000039B000-memory.dmp

Filesize
492KB

Download
memory/2488-18-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2488-27-0x0000000000300000-0x000000000037B000-memory.dmp

Filesize
492KB

Download
memory/2488-21-0x0000000000300000-0x000000000037B000-memory.dmp

Filesize
492KB

Download
memory/2496-415-0x0000000000310000-0x000000000038B000-memory.dmp

Filesize
492KB

Download
memory/2496-414-0x0000000000310000-0x000000000038B000-memory.dmp

Filesize
492KB

Download
memory/2496-405-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2524-376-0x0000000001FE0000-0x000000000205B000-memory.dmp

Filesize
492KB

Download
memory/2524-375-0x0000000001FE0000-0x000000000205B000-memory.dmp

Filesize
492KB

Download
memory/2524-361-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2556-381-0x0000000000320000-0x000000000039B000-memory.dmp

Filesize
492KB

Download
memory/2556-382-0x0000000000320000-0x000000000039B000-memory.dmp

Filesize
492KB

Download
memory/2556-377-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2600-349-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/2600-337-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2600-348-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/2620-41-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2620-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2636-360-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download
memory/2636-359-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download
memory/2636-354-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2680-125-0x0000000000280000-0x00000000002FB000-memory.dmp

Filesize
492KB

Download
memory/2780-332-0x0000000001FE0000-0x000000000205B000-memory.dmp

Filesize
492KB

Download
memory/2780-331-0x0000000001FE0000-0x000000000205B000-memory.dmp

Filesize
492KB

Download
memory/2780-325-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2824-95-0x0000000001F70000-0x0000000001FEB000-memory.dmp

Filesize
492KB

Download
memory/2840-316-0x0000000000300000-0x000000000037B000-memory.dmp

Filesize
492KB

Download
memory/2840-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-317-0x0000000000300000-0x000000000037B000-memory.dmp

Filesize
492KB

Download
memory/2864-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2864-6-0x0000000000300000-0x000000000037B000-memory.dmp

Filesize
492KB

Download
memory/2868-383-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2868-397-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download
memory/2868-396-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads