3f80ced2da969344b39852a9b0af9489164c619bc63a89770f8fb281ea7a6c47

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
Size

128KB
MD5

cbfbbb5419715a7805e199ea89a21130
SHA1

92cffc4ef06def21a7c9d15b5a4448a9afd2f28b
SHA256

3f80ced2da969344b39852a9b0af9489164c619bc63a89770f8fb281ea7a6c47
SHA512

88c257492ed6accedd9f4d8323b7514136590f9d484b24e2c97e6fc2d880784706decf0971de3f2eafb63ba6a55d51992dcb21ea5482eb6d0dd609f8fb13a6bf
SSDEEP

3072:zX8lwMpgh+V4tedVqLAYC+O+hd07oFli0KPA9fc3EMUtwn20I:zX6MuiLAYCtE07kli0KoCYtw27

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hknach32.exe

Executes dropped EXE 34 IoCs

pid	Process
2356	Fnbkddem.exe
2704	Fdoclk32.exe
2592	Fmhheqje.exe
1656	Fbdqmghm.exe
2496	Fmjejphb.exe
2648	Fddmgjpo.exe
1596	Fiaeoang.exe
2796	Globlmmj.exe
2168	Gegfdb32.exe
1772	Gpmjak32.exe
1564	Gangic32.exe
768	Ghhofmql.exe
1516	Gbnccfpb.exe
2976	Glfhll32.exe
2280	Gmgdddmq.exe
1208	Gdamqndn.exe
1612	Ghmiam32.exe
1112	Gkkemh32.exe
3044	Gaemjbcg.exe
2128	Gddifnbk.exe
340	Hknach32.exe
1960	Hmlnoc32.exe
992	Hcifgjgc.exe
2296	Hgdbhi32.exe
1256	Hpmgqnfl.exe
1524	Hckcmjep.exe
2692	Hnagjbdf.exe
2620	Hellne32.exe
2512	Hpapln32.exe
2588	Hacmcfge.exe
2368	Icbimi32.exe
2916	Ieqeidnl.exe
2564	Ihoafpmp.exe
2712	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2036	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
2036	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
2356	Fnbkddem.exe
2356	Fnbkddem.exe
2704	Fdoclk32.exe
2704	Fdoclk32.exe
2592	Fmhheqje.exe
2592	Fmhheqje.exe
1656	Fbdqmghm.exe
1656	Fbdqmghm.exe
2496	Fmjejphb.exe
2496	Fmjejphb.exe
2648	Fddmgjpo.exe
2648	Fddmgjpo.exe
1596	Fiaeoang.exe
1596	Fiaeoang.exe
2796	Globlmmj.exe
2796	Globlmmj.exe
2168	Gegfdb32.exe
2168	Gegfdb32.exe
1772	Gpmjak32.exe
1772	Gpmjak32.exe
1564	Gangic32.exe
1564	Gangic32.exe
768	Ghhofmql.exe
768	Ghhofmql.exe
1516	Gbnccfpb.exe
1516	Gbnccfpb.exe
2976	Glfhll32.exe
2976	Glfhll32.exe
2280	Gmgdddmq.exe
2280	Gmgdddmq.exe
1208	Gdamqndn.exe
1208	Gdamqndn.exe
1612	Ghmiam32.exe
1612	Ghmiam32.exe
1112	Gkkemh32.exe
1112	Gkkemh32.exe
3044	Gaemjbcg.exe
3044	Gaemjbcg.exe
2128	Gddifnbk.exe
2128	Gddifnbk.exe
340	Hknach32.exe
340	Hknach32.exe
1960	Hmlnoc32.exe
1960	Hmlnoc32.exe
992	Hcifgjgc.exe
992	Hcifgjgc.exe
2296	Hgdbhi32.exe
2296	Hgdbhi32.exe
1256	Hpmgqnfl.exe
1256	Hpmgqnfl.exe
1524	Hckcmjep.exe
1524	Hckcmjep.exe
2692	Hnagjbdf.exe
2692	Hnagjbdf.exe
2620	Hellne32.exe
2620	Hellne32.exe
2512	Hpapln32.exe
2512	Hpapln32.exe
2588	Hacmcfge.exe
2588	Hacmcfge.exe
2368	Icbimi32.exe
2368	Icbimi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Fbdqmghm.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Fmjejphb.exe
File opened for modification	C:\Windows\SysWOW64\Fiaeoang.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Iaeldika.dll	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fmjejphb.exe	Fbdqmghm.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Fdoclk32.exe	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Fddmgjpo.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Mncnkh32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	2712	WerFault.exe	61

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll"	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnagjbdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2356	2036	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2356	2036	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2356	2036	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2356	2036	cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2704	2356	Fnbkddem.exe	29
PID 2356 wrote to memory of 2704	2356	Fnbkddem.exe	29
PID 2356 wrote to memory of 2704	2356	Fnbkddem.exe	29
PID 2356 wrote to memory of 2704	2356	Fnbkddem.exe	29
PID 2704 wrote to memory of 2592	2704	Fdoclk32.exe	30
PID 2704 wrote to memory of 2592	2704	Fdoclk32.exe	30
PID 2704 wrote to memory of 2592	2704	Fdoclk32.exe	30
PID 2704 wrote to memory of 2592	2704	Fdoclk32.exe	30
PID 2592 wrote to memory of 1656	2592	Fmhheqje.exe	31
PID 2592 wrote to memory of 1656	2592	Fmhheqje.exe	31
PID 2592 wrote to memory of 1656	2592	Fmhheqje.exe	31
PID 2592 wrote to memory of 1656	2592	Fmhheqje.exe	31
PID 1656 wrote to memory of 2496	1656	Fbdqmghm.exe	32
PID 1656 wrote to memory of 2496	1656	Fbdqmghm.exe	32
PID 1656 wrote to memory of 2496	1656	Fbdqmghm.exe	32
PID 1656 wrote to memory of 2496	1656	Fbdqmghm.exe	32
PID 2496 wrote to memory of 2648	2496	Fmjejphb.exe	33
PID 2496 wrote to memory of 2648	2496	Fmjejphb.exe	33
PID 2496 wrote to memory of 2648	2496	Fmjejphb.exe	33
PID 2496 wrote to memory of 2648	2496	Fmjejphb.exe	33
PID 2648 wrote to memory of 1596	2648	Fddmgjpo.exe	34
PID 2648 wrote to memory of 1596	2648	Fddmgjpo.exe	34
PID 2648 wrote to memory of 1596	2648	Fddmgjpo.exe	34
PID 2648 wrote to memory of 1596	2648	Fddmgjpo.exe	34
PID 1596 wrote to memory of 2796	1596	Fiaeoang.exe	35
PID 1596 wrote to memory of 2796	1596	Fiaeoang.exe	35
PID 1596 wrote to memory of 2796	1596	Fiaeoang.exe	35
PID 1596 wrote to memory of 2796	1596	Fiaeoang.exe	35
PID 2796 wrote to memory of 2168	2796	Globlmmj.exe	36
PID 2796 wrote to memory of 2168	2796	Globlmmj.exe	36
PID 2796 wrote to memory of 2168	2796	Globlmmj.exe	36
PID 2796 wrote to memory of 2168	2796	Globlmmj.exe	36
PID 2168 wrote to memory of 1772	2168	Gegfdb32.exe	37
PID 2168 wrote to memory of 1772	2168	Gegfdb32.exe	37
PID 2168 wrote to memory of 1772	2168	Gegfdb32.exe	37
PID 2168 wrote to memory of 1772	2168	Gegfdb32.exe	37
PID 1772 wrote to memory of 1564	1772	Gpmjak32.exe	38
PID 1772 wrote to memory of 1564	1772	Gpmjak32.exe	38
PID 1772 wrote to memory of 1564	1772	Gpmjak32.exe	38
PID 1772 wrote to memory of 1564	1772	Gpmjak32.exe	38
PID 1564 wrote to memory of 768	1564	Gangic32.exe	39
PID 1564 wrote to memory of 768	1564	Gangic32.exe	39
PID 1564 wrote to memory of 768	1564	Gangic32.exe	39
PID 1564 wrote to memory of 768	1564	Gangic32.exe	39
PID 768 wrote to memory of 1516	768	Ghhofmql.exe	40
PID 768 wrote to memory of 1516	768	Ghhofmql.exe	40
PID 768 wrote to memory of 1516	768	Ghhofmql.exe	40
PID 768 wrote to memory of 1516	768	Ghhofmql.exe	40
PID 1516 wrote to memory of 2976	1516	Gbnccfpb.exe	41
PID 1516 wrote to memory of 2976	1516	Gbnccfpb.exe	41
PID 1516 wrote to memory of 2976	1516	Gbnccfpb.exe	41
PID 1516 wrote to memory of 2976	1516	Gbnccfpb.exe	41
PID 2976 wrote to memory of 2280	2976	Glfhll32.exe	42
PID 2976 wrote to memory of 2280	2976	Glfhll32.exe	42
PID 2976 wrote to memory of 2280	2976	Glfhll32.exe	42
PID 2976 wrote to memory of 2280	2976	Glfhll32.exe	42
PID 2280 wrote to memory of 1208	2280	Gmgdddmq.exe	43
PID 2280 wrote to memory of 1208	2280	Gmgdddmq.exe	43
PID 2280 wrote to memory of 1208	2280	Gmgdddmq.exe	43
PID 2280 wrote to memory of 1208	2280	Gmgdddmq.exe	43

C:\Users\Admin\AppData\Local\Temp\cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cbfbbb5419715a7805e199ea89a21130_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\Fnbkddem.exe
  C:\Windows\system32\Fnbkddem.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\Fdoclk32.exe
    C:\Windows\system32\Fdoclk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Fmhheqje.exe
      C:\Windows\system32\Fmhheqje.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\Fmjejphb.exe
        
        C:\Windows\system32\Fmjejphb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        35⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 140
        36⤵
        Program crash
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakqnc32.dll

Filesize
7KB

MD5
62ea9a2441459790e0887d976ad5a101

SHA1
f10fca7f46228e4671ac3955b863418c59e3a6c9

SHA256
1be4ad4b96b8a98c31bd6e5e821006f82b4fc8beb201f39f472404ec0654d0ca

SHA512
32b0a5a5d80f6fab631d9334d579e570c627664c30ff795ab21bf52d353f88e244977092962c7dd86e7fd22eb6d01722ab6b3b660fe5d02c17ddf50636bad12f

Download Submit
C:\Windows\SysWOW64\Fbdqmghm.exe

Filesize
128KB

MD5
7a119b1208edd522ca402682b61766f6

SHA1
70a71f158506544fa30a0c8e5da0e7d0c8b31f9f

SHA256
5eca37bd3ced956e291885e9713b5460c4c522f564bb6fca41b61bbe6115ec97

SHA512
10cc7d9cd0a23c813aa52ad0e32bf74eaa2e010da95690715257bff54346576912dbb470e5484edd5c4f8fe9ac2dfcb1ed88ef13059eff186443346dd6da893c

Download Submit
C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
128KB

MD5
43fab9d1fa7150339587c71e573dd653

SHA1
5b506f7495ac035471744e497d8119ba7eb4dc1f

SHA256
b45b4734de2e127dc7da622f943c9053f2ed6c7662cb48fc9d7df23043384be4

SHA512
22e5d637a591f80024c42424e55bbe905f238a66eefb182c0864b4b600d3c50028574d50d05dec51d80b5966daf5934facaf8d2d03f2e06ad1ca4fe8833a4fc3

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
128KB

MD5
f63798bd913c02cedcb9497593fc47a9

SHA1
97be0b8014160d4ec79d76c294e2b59594e7977d

SHA256
8512181f436bec36d88a6c033ea6354404358c768f861fb8223866973de9b987

SHA512
d32b4934f49409357709627b77d8172cfddd7168ff5db7649df03821b71f6c13102e838d51077dcb4af04a53daf50f92fa8690c20bfd8245e763142b5e002626

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
128KB

MD5
76f3c3be4d994e004ff40562bc05dc32

SHA1
915c5eb13c4d01b7b50d3842f3d1539eb55ca824

SHA256
ca4fda903b2dee9b8a8a72e54f025eabaed796c0928e0d1b7e68c98bb84f6549

SHA512
1bb3e294078b9fa06da0d7a64d8b493f2a26443f8a1acef6a14b72a2af3703239f29e4a4425161835a90b3b73d65b13f77b22cc06fd3093457e1c5e6b7f7a371

Download Submit
C:\Windows\SysWOW64\Gddifnbk.exe

Filesize
128KB

MD5
39e911e3161576c358f86ecc61135307

SHA1
b0c9852aa9d85c3518477ac78bd788c3fee259bc

SHA256
47c3476db065a083e8056c4b31c1720df1ba8e7f4a88b93c1eae6a8c622fa02f

SHA512
9661219e5be6bf9b40a9b3bd587a297317249a11264eaf2933d2b9b95ab4092a614d26648bdc830232de59a9c82ae6f20c10647c9d893297869f0586d7f5c27a

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
128KB

MD5
13cdcdfe5950027fe5e39669f89bbd3a

SHA1
771932846f4bd6f914cff2448185f93c622d0e80

SHA256
7724de3fb00ba7bcf96dabd68c31607aad72909380d03e0d1585087f7bdd7e28

SHA512
52fb91dddc34f68cbaa7c125016b912567860535cb16348d789f6a36a194742e8263747c32d21541024521d734337bac09ad31ba5cf9c4afd35844d6b57b40c6

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
128KB

MD5
fc8fae176c7c2dc229eefdea1d8fab02

SHA1
ac1145c32171ec3db6b019ba234e9d1e99068fd2

SHA256
9bcad9209db21a6d1a5f96796de616b2cd29e31f8d85cd169437c9c42fa53589

SHA512
cb0f9b029d98b14ee8c7e2447f01a94a3808fdb63d82960487b831949c025f0f31c519b9ac89f6d4f91946f0ae8ed41bcf3959c3803911714b2dfc61692306b1

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
128KB

MD5
c6240b8e759dc70ff212f0140ae84142

SHA1
90a9bdac65f4350aae5794690dbdb830fe2ef2a3

SHA256
58e3e77424fedcbe1d7665b174ff9ed104df0e72ab302c2e15d1b761dc7a53c0

SHA512
e453d16d4a8e96c09ba38fcbfe8486ae36d8a0f460a77df2119fa8c4f943facd3548cd8ae7252e528f80bd51fe5cf0791b346e4e115ca45ca2cb302141ebdf26

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe

Filesize
128KB

MD5
fc4b6a5264b2ebaf2777ecb7aefb952e

SHA1
ceb443a023c1ae361d61a12ab0e43fb06d3c64ef

SHA256
6095f3d3d11b592ca7e42d1df53126f8699eed6aa5d70a1d8b7c6f9d594e366b

SHA512
b5de5bade2e06f4e2055f2fe6e81046886a01b38f651e7250364fb4a22ba499f66e6d9c3b44009d33dbb14dcc731a485c78fcfe7127635fdef8fe4007dc88ef1

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
128KB

MD5
0ff51db02f19cee30e814492424160f5

SHA1
37c47187ddd4e861b174e690c93274d9479bd0d7

SHA256
c194c8d9fa180379b0c989eb85e2a108ec7aa764a1702f946eef97d3c785ef50

SHA512
773fc093f74791e030e42191f849d3557bc2a81e7e85de852bd808ab5f3b5f18ce6ef9083f36a9dc2d3ae7f687e44cd78d51b213b761846dfac9c677e50a243d

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
128KB

MD5
698843580471ca507f1f80836a7680cb

SHA1
f58b1be2a4fb78ad173b1a17eb6f705cbfeac85a

SHA256
736e3b85ccb06999e50ecf137c1ec2addd9bd351a1bb96d47911de9bd932a8a3

SHA512
4bc29507fc5b9f27a146847c12eedf1c1f7c16e303c83e873d44ee2ea83f29092826b05a1c5e83a2b953e614c5d50ddd5114316021ec772ad2ce688fb4edc035

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
128KB

MD5
72acee9671010c6c095237b08f00d075

SHA1
6d4cb0845e92d6312bdf089bf7ec6d097a67c017

SHA256
6dea2ded3d4faef0783ad34f40be89f91362384283ad5ff54fd4618ad7295502

SHA512
9280e98225b9369eb27116b6f874651d3f53397e1e55ca51f45eaae22b5fcc778709444baba740278a1bb13c0c49e49863fe6f73aa45fbc581ed075b8c566a4d

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
128KB

MD5
9e45998be8d145e8e8eebd251ec0c285

SHA1
6338448eba835dd5c3ab1dad127fa98e64deb6d5

SHA256
c21ea446a3db13f61936664154b383f94855637f34af1163cba8c3722728bbc6

SHA512
d4eadd09e05c9f5eaa516bd498edd583f6abc88aa37493451e015488abefdcb0580603bf91e2b77dd25c8d5a5a19c1ef34f11f6966167f51485e8b5ea96859a8

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
128KB

MD5
26584b2c507e440c767e2d5a533c88e9

SHA1
0abf31da29fb7d3c25e49f86759d089859c3bd3b

SHA256
f51ae8bf35f02981e13ec14af827c56b038b5f52b4b20c7ce362982f9a78511c

SHA512
d0c6c427c05db356d02fe13480635672e9b27621b647e3332cc732a35d6395725140ce82744be08083c40ee047e94116ca987ba4b5e5335a37d94a870b1a1cdb

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
128KB

MD5
bb3fdc4b1e18dbcdc0a00f227af66c8a

SHA1
5798c20838fccfeeae104f9f29dafb9a0fd97205

SHA256
facb987ad980a9ad4d168ae21e16047f3344c35eaf66840fcc90e2656b0c6a04

SHA512
86cb1c42346050b3b3660a553d142cf4a2d2a400cb0654338442572870b53034ebd97eb13273ea3dbc3bfacf2a2741e43f1515ff430da92d6379626a7b0b44ee

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
128KB

MD5
9c5551e8ded7bbba7696216e329688e7

SHA1
1a1f6eac721cf1d2ef2a56434850df9a6c92dae4

SHA256
6e43df8c33ea622d2da9b01a5e34403f9f904c7a83ad544428cc01bfd94ca82b

SHA512
7118be1bac83110506e1142a1d6f5057190663f08ec5288485e323a0286e17c6765c976a45da412d2f36d46e1ffaeb1ee97dcd0aab9eab624d495e29c0411da3

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
128KB

MD5
cae614677f0fc6c8bddc251415905ee8

SHA1
5e2a9dfd2bf8e0805090fa334a5b1ea030c73f71

SHA256
c9154179f9adb45c7186ea8121db24f7bdf9c3a8677a0cbcb43da189dc8c8729

SHA512
d1647b77526d98023a669076d41a6523ea9888d65e887562a372191bb7c5da5b5c78b8e28f940940767395cda31a6cfe293f906e5966046c7a3e788c99c423d8

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
128KB

MD5
3b6177bbeb3345155faf982c9d09d4fb

SHA1
ede2e220ba1de36f42469121edf8309be3961834

SHA256
078ae75732487db8eff24fe23ea6bc9ae508d80bd2240b8b0261777b63391e4f

SHA512
676b95873caf3dc323fdd057bbbd27809e4cb79fd8c1f6a5a675f0c9c0b7a8cd58219545835d2abcccdaf163d0930014ebdfe9d79e46dd6ece8314ffeb1f8dc3

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
128KB

MD5
78f1971c286c2cb8e79ac270c47d212f

SHA1
742e9e1aa32c04faa70f218e0a49d1362cffabe5

SHA256
4fa8792214f895daf418fed008ccdae3ce34b1c73bdfd97701ef3bae5f3121ea

SHA512
559306e0bbbd6bac8e09a4ceb58bd991dea877e22b6bb99b19c634daef3a6ef35c4ade12b55ffefe608769a0b14c3a488bac6e8025bd880151ce132691aa63de

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
128KB

MD5
0f3bb81c5c9274fa4a6c1404b5b25360

SHA1
ce9d9b109e9423c41953e210e91792ab16c08f59

SHA256
06b0a0bfd9094029d9d2d41bb672b53fe33fc4e8d4a1c401d2c9d5b56654985e

SHA512
ed3284d80919a5d7616016a222bf4fafd868cce2d42c48d5be83b64c7ad8308e1ed6ff3412633c2f7fb3d9117092b19e036fdacb45be6f50e664944edd9c5e0d

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
128KB

MD5
3bdddae32c35ae19b51df897f753957d

SHA1
e4712fd8ad79dce54e16a2cefe94c55df0ee594a

SHA256
8dbcbce9d5d22df2ae432cb0be2a1e377f154de308479a862cc571593e0e6c91

SHA512
907c9f4a1c3767db5910baaa43b15466075aef9cea3895ab3159b2fc4f208fa2d6e8598441810ba51929db017e00766d6ddfee6870ecca315ff56c7cb7fedd96

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
128KB

MD5
b9ca6d75d91f587bd7b231c232ee4a24

SHA1
3538023126b936f4778941992e4d130f5d098844

SHA256
7078f6fc9121595e716e5b25e864bb7a1aab4777797202f5fdad6ecd4f9a4fc6

SHA512
db09efdcc7ba20a2602840ef6662f02f9ef99f3f2082f7da0fd3694790fa1f3469fefb8d9dc75d1ab0746464ce568f8c694cb9dab9c2a974e2bc280793133d04

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
128KB

MD5
9848dcdf7f9ed8c425c9d0394f09d1b9

SHA1
2402481ec9025032a61b09834265f3359d1defaa

SHA256
9e9e8cab997f7c6af71bd0a2e7a93fa2cd348aef08f0727c6e2f15e832b975a2

SHA512
fe473e99ec4fc7f0145da4e2c9a1695323f1628b374aebd0c24659318b65dab7aa9efd5bb4b2ccfce2726af37d0eae1eadd33225fa770e7910510900679d3ad4

Download Submit
\Windows\SysWOW64\Fdoclk32.exe

Filesize
128KB

MD5
b769a226f0a4c43f017beb9ba190908f

SHA1
d54545d3f506bebffb3de9a83c2ad0ffd10a1d93

SHA256
ae6d4330e0799a345c0a700459708be57399f9dc5fbd8bf5add0bc460fa9767f

SHA512
ecd7ef62c8665284b3878b19f20b6b85f29924b6722ad64d067b0c2e3e61ef32397fb25aff8cb15b35c404afc99d2db53787ba60b31f18903f928958135d103e

Download Submit
\Windows\SysWOW64\Fiaeoang.exe

Filesize
128KB

MD5
d34c0a8694f22c52fa10d03b544ed019

SHA1
67ebe52f4097ea3abc3ae1ebc646793b3b354b4f

SHA256
1e8e4e672cad21f29120b58ddfa5e1cb510b1728110a76c2373f574e14957df3

SHA512
fef52bf96bfae8cefdbecf58768f3b7bb20e54222b5320fe0ac1e08cfa53aeab5dc6dfc140b86019a8d2aa927909b080f7976b67002f93a880c86466b66415da

Download Submit
\Windows\SysWOW64\Fmhheqje.exe

Filesize
128KB

MD5
c99ae093bdefd2450bac0b8cab8c7083

SHA1
3a60469c480fcb0890098a7d19a9780a9c46264c

SHA256
4c2ac282e184655ebe95a76c24fe71825dd2bc9e4899de12fa46e59f09b8dbe0

SHA512
231be4afcd1bcce419ae21d9ee770a1fb520e244230e3eb0626c8a82cfaecefefe09ee71a5e66d5945af0e8e55c57bed7cbc083f3bd0c72a095d1ae143ec82a8

Download Submit
\Windows\SysWOW64\Fmjejphb.exe

Filesize
128KB

MD5
513fc2e29304990cbc08c817da106ccc

SHA1
dfa4edc20be459c6d6c55ef6bab895ac37c5b062

SHA256
b0e992556e53dedf06e80adcdf3eec2619670bd0a265fa34967b667a1f7b1636

SHA512
9a258a9b4b81d98d02ec7943ef60f52559e71fa733b75a285084a3d16d0aaf8d723be8c3d96d65ac5835cce4ff5303b62348fb72f95411cdda52308c65a24c86

Download Submit
\Windows\SysWOW64\Fnbkddem.exe

Filesize
128KB

MD5
c460a5116225fc138afbcd7276b92499

SHA1
a470b68f282fd985812e7fdd4d10e0d77b1443dd

SHA256
125728997768ef5014b992bc34f92b1eaa2177a0320e2d157ec5d8ec9a4db52b

SHA512
94c2f9d7b33d20d1f7e43724a9af70aa21ff614782c5c46f3160278bbe291a2c35de44d6b682e2f0f6e96835a8a7786c8f00e41b615d313116d46e9c180f7a06

Download Submit
\Windows\SysWOW64\Gangic32.exe

Filesize
128KB

MD5
217f6d8a980ba9abbd255578aced2947

SHA1
5549994d96a3074a285b9a47b898de7c2bd316ff

SHA256
738ef9dfe13d07efaf879ee87a9cf5437a8f9145e406ef263b24716c0d5f9eb3

SHA512
5609baad0810c8682a2d0e16f9043efacd2ddc77c2a1389a4ed6c2bd269e096512dcc5bbb1e75735e5857206f913d76799e4d0f9ffcc44683cbeb3caa80ad935

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
128KB

MD5
75817ab44eb5d99566f9720af4a7995d

SHA1
66add8fb7af41f7734c11ef6cb1412aaf2d58489

SHA256
1d6b5dfb972a8d7352620fb3c50e3c08bc43cc27bfc00c803af6b68932a5a7a1

SHA512
d0f1c3deb55bf6263d5951be449cab6e5fbe35b1a2bef81423bc67a1fd44e61a5fcb269e2b5f3a8c207c9b8834898c25199ca0ed2c0d98aa508a44c9257f200f

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
128KB

MD5
2fe4826b083e88395d8a7469d72cd3f9

SHA1
edfd97c2e0758f2a361008ff0bea67988a21b36b

SHA256
17e6b22fb44ee60ffbfb6b29c61263fa00e474f8ed2bb3abdfa3e8a36a2c7cd3

SHA512
9d860fedd646e5e50c40538cb9d07421a72660cba08c30d9207e1354cad7a4fcace8d40e1f78d1c7ff7409a1c4ac0adad396ad45f31f0ad3a20160851d2c4b00

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
128KB

MD5
8c3d8fe58044d241156b50d5e9cb4c94

SHA1
34ac053e64969b09b05367a82c1449fdb3558e00

SHA256
267f6883054899cb380482362611787eb3764d7ac61c7470de4592b08cdadc01

SHA512
4dc1efdf20a61b2a824955a428d3f72325dd85323b6f029f6e205f88966cae8b2f56fe7c9e46d2f0c53c69f5a0489470a8f51259b7aa93a1d85e1e7edfb5a900

Download Submit
\Windows\SysWOW64\Gmgdddmq.exe

Filesize
128KB

MD5
4f82ae191cfa688b903ea8eca38be2d2

SHA1
86e63813ad8dc94dff9fcadf415a3816d406e14d

SHA256
a6e787ff9ad861900a07d558d0bee26039a6772e0617e74e7e9b1655f121c28e

SHA512
1c1de38d0bcc93a6dfba0eff61bb6979ba76db5a3f95da60f8c03aab0ad290fa906b4b78b51767b20e034c9612daacf173c49ce644a0332a5eb2a29e90f9d5d0

Download Submit
\Windows\SysWOW64\Gpmjak32.exe

Filesize
128KB

MD5
c6a137ea2a99eec4896b229bdc2f20c9

SHA1
68335ff3b651773e9ba2b85c0fe25dafcdc650fd

SHA256
cc65db97fb08455437fec57a7e8ab55f78287cb8dc14954d4fe8e30a14923520

SHA512
0ccea92c21b1fa99d6cca561bbf8cda312242688dcb8d94516a0aa34dca4c456cea93377ac7588dbcbd7f624f0c99d0c3a6dfe539f43197e36cd64d4ceb05302

Download Submit
memory/340-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/768-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/768-172-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/768-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-290-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/992-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1256-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1256-308-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1256-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1256-312-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1516-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-322-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1524-323-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1524-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-61-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1656-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-283-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1960-284-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1960-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-6-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2128-257-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2128-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-300-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2296-301-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2356-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-25-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2368-378-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2368-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2368-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2368-377-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2496-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-355-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2512-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-356-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2564-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-399-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2564-400-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2588-366-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2588-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-367-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2588-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-345-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2620-344-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2648-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-92-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2692-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-333-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2692-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-334-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2704-40-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2704-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-115-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2916-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-393-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2916-385-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2916-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-194-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2976-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads