042dec5f717dbdd8d1af0efb6977cc458d22c910fe189f91ae6d10106f5bfb78

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 16:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
Size

320KB
MD5

23ccc5811a98d1c04baf9944527e7ef0
SHA1

2aba3bb1af783b8fc621364f2fa88a2aa200a9ed
SHA256

042dec5f717dbdd8d1af0efb6977cc458d22c910fe189f91ae6d10106f5bfb78
SHA512

01a73370b2969813a4a3d29c5239801020eee1a069e471dc71578e9ad6d0896b472e5ceebb82aa9394c3833df4d7f078322ce938b08556580e3bff8d1f5e8b20
SSDEEP

6144:4CezhHFan7fvlNY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:4CeNlqvam05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ealnephf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckffgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgodbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebedndfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqjepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epaogi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihfjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkhcmgnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eihfjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgodbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebedndfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efncicpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe

Executes dropped EXE 42 IoCs

pid	Process
2196	Ckffgg32.exe
2616	Dkhcmgnl.exe
2740	Dgodbh32.exe
2960	Ddcdkl32.exe
1316	Dqjepm32.exe
2520	Dmafennb.exe
2148	Eihfjo32.exe
2612	Epaogi32.exe
2948	Efncicpm.exe
2756	Ebedndfa.exe
2392	Egamfkdh.exe
1584	Ealnephf.exe
1876	Fmcoja32.exe
2032	Fejgko32.exe
1936	Fdoclk32.exe
576	Fdapak32.exe
2304	Fphafl32.exe
980	Fiaeoang.exe
844	Globlmmj.exe
1668	Gfefiemq.exe
2004	Gicbeald.exe
2456	Gpmjak32.exe
692	Ghhofmql.exe
572	Gdopkn32.exe
1136	Glfhll32.exe
2132	Gacpdbej.exe
1588	Gogangdc.exe
2472	Gaemjbcg.exe
2372	Hgbebiao.exe
2720	Hmlnoc32.exe
2728	Hkpnhgge.exe
2660	Hlakpp32.exe
2544	Hdhbam32.exe
3040	Hejoiedd.exe
2892	Hpocfncj.exe
2920	Hellne32.exe
316	Hacmcfge.exe
1952	Hhmepp32.exe
2848	Hogmmjfo.exe
1696	Idceea32.exe
2056	Iknnbklc.exe
2040	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2952	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
2952	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
2196	Ckffgg32.exe
2196	Ckffgg32.exe
2616	Dkhcmgnl.exe
2616	Dkhcmgnl.exe
2740	Dgodbh32.exe
2740	Dgodbh32.exe
2960	Ddcdkl32.exe
2960	Ddcdkl32.exe
1316	Dqjepm32.exe
1316	Dqjepm32.exe
2520	Dmafennb.exe
2520	Dmafennb.exe
2148	Eihfjo32.exe
2148	Eihfjo32.exe
2612	Epaogi32.exe
2612	Epaogi32.exe
2948	Efncicpm.exe
2948	Efncicpm.exe
2756	Ebedndfa.exe
2756	Ebedndfa.exe
2392	Egamfkdh.exe
2392	Egamfkdh.exe
1584	Ealnephf.exe
1584	Ealnephf.exe
1876	Fmcoja32.exe
1876	Fmcoja32.exe
2032	Fejgko32.exe
2032	Fejgko32.exe
1936	Fdoclk32.exe
1936	Fdoclk32.exe
576	Fdapak32.exe
576	Fdapak32.exe
2304	Fphafl32.exe
2304	Fphafl32.exe
980	Fiaeoang.exe
980	Fiaeoang.exe
844	Globlmmj.exe
844	Globlmmj.exe
1668	Gfefiemq.exe
1668	Gfefiemq.exe
2004	Gicbeald.exe
2004	Gicbeald.exe
2456	Gpmjak32.exe
2456	Gpmjak32.exe
692	Ghhofmql.exe
692	Ghhofmql.exe
572	Gdopkn32.exe
572	Gdopkn32.exe
1136	Glfhll32.exe
1136	Glfhll32.exe
2132	Gacpdbej.exe
2132	Gacpdbej.exe
1588	Gogangdc.exe
1588	Gogangdc.exe
2472	Gaemjbcg.exe
2472	Gaemjbcg.exe
2372	Hgbebiao.exe
2372	Hgbebiao.exe
2720	Hmlnoc32.exe
2720	Hmlnoc32.exe
2728	Hkpnhgge.exe
2728	Hkpnhgge.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckffgg32.exe	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Efncicpm.exe	Epaogi32.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Dmafennb.exe	Dqjepm32.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Ealnephf.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Epaogi32.exe	Eihfjo32.exe
File created	C:\Windows\SysWOW64\Lkojpojq.dll	Epaogi32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Dgodbh32.exe	Dkhcmgnl.exe
File created	C:\Windows\SysWOW64\Elbepj32.dll	Ddcdkl32.exe
File opened for modification	C:\Windows\SysWOW64\Fdoclk32.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Dgodbh32.exe	Dkhcmgnl.exe
File created	C:\Windows\SysWOW64\Bnpmlfkm.dll	Ebedndfa.exe
File opened for modification	C:\Windows\SysWOW64\Fejgko32.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Egamfkdh.exe	Ebedndfa.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Ealnephf.exe	Egamfkdh.exe
File opened for modification	C:\Windows\SysWOW64\Fphafl32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Egamfkdh.exe	Ebedndfa.exe
File created	C:\Windows\SysWOW64\Globlmmj.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Ddcdkl32.exe	Dgodbh32.exe
File created	C:\Windows\SysWOW64\Anapbp32.dll	Dgodbh32.exe
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Fejgko32.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Dkhcmgnl.exe	Ckffgg32.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Fphafl32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Dkhcmgnl.exe	Ckffgg32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Dqjepm32.exe	Ddcdkl32.exe
File opened for modification	C:\Windows\SysWOW64\Eihfjo32.exe	Dmafennb.exe
File created	C:\Windows\SysWOW64\Gcmjhbal.dll	Egamfkdh.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Ealnephf.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hlakpp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2016	2040	WerFault.exe	69

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll"	Dqjepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebedndfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll"	Egamfkdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcdkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqjepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efncicpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	Ealnephf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll"	Ebedndfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebedndfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fphafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll"	Dmafennb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ealnephf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll"	Fejgko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Globlmmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eihfjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqjepm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2196	2952	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 2196	2952	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 2196	2952	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 2196	2952	23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2616	2196	Ckffgg32.exe	29
PID 2196 wrote to memory of 2616	2196	Ckffgg32.exe	29
PID 2196 wrote to memory of 2616	2196	Ckffgg32.exe	29
PID 2196 wrote to memory of 2616	2196	Ckffgg32.exe	29
PID 2616 wrote to memory of 2740	2616	Dkhcmgnl.exe	30
PID 2616 wrote to memory of 2740	2616	Dkhcmgnl.exe	30
PID 2616 wrote to memory of 2740	2616	Dkhcmgnl.exe	30
PID 2616 wrote to memory of 2740	2616	Dkhcmgnl.exe	30
PID 2740 wrote to memory of 2960	2740	Dgodbh32.exe	31
PID 2740 wrote to memory of 2960	2740	Dgodbh32.exe	31
PID 2740 wrote to memory of 2960	2740	Dgodbh32.exe	31
PID 2740 wrote to memory of 2960	2740	Dgodbh32.exe	31
PID 2960 wrote to memory of 1316	2960	Ddcdkl32.exe	32
PID 2960 wrote to memory of 1316	2960	Ddcdkl32.exe	32
PID 2960 wrote to memory of 1316	2960	Ddcdkl32.exe	32
PID 2960 wrote to memory of 1316	2960	Ddcdkl32.exe	32
PID 1316 wrote to memory of 2520	1316	Dqjepm32.exe	33
PID 1316 wrote to memory of 2520	1316	Dqjepm32.exe	33
PID 1316 wrote to memory of 2520	1316	Dqjepm32.exe	33
PID 1316 wrote to memory of 2520	1316	Dqjepm32.exe	33
PID 2520 wrote to memory of 2148	2520	Dmafennb.exe	34
PID 2520 wrote to memory of 2148	2520	Dmafennb.exe	34
PID 2520 wrote to memory of 2148	2520	Dmafennb.exe	34
PID 2520 wrote to memory of 2148	2520	Dmafennb.exe	34
PID 2148 wrote to memory of 2612	2148	Eihfjo32.exe	35
PID 2148 wrote to memory of 2612	2148	Eihfjo32.exe	35
PID 2148 wrote to memory of 2612	2148	Eihfjo32.exe	35
PID 2148 wrote to memory of 2612	2148	Eihfjo32.exe	35
PID 2612 wrote to memory of 2948	2612	Epaogi32.exe	36
PID 2612 wrote to memory of 2948	2612	Epaogi32.exe	36
PID 2612 wrote to memory of 2948	2612	Epaogi32.exe	36
PID 2612 wrote to memory of 2948	2612	Epaogi32.exe	36
PID 2948 wrote to memory of 2756	2948	Efncicpm.exe	37
PID 2948 wrote to memory of 2756	2948	Efncicpm.exe	37
PID 2948 wrote to memory of 2756	2948	Efncicpm.exe	37
PID 2948 wrote to memory of 2756	2948	Efncicpm.exe	37
PID 2756 wrote to memory of 2392	2756	Ebedndfa.exe	38
PID 2756 wrote to memory of 2392	2756	Ebedndfa.exe	38
PID 2756 wrote to memory of 2392	2756	Ebedndfa.exe	38
PID 2756 wrote to memory of 2392	2756	Ebedndfa.exe	38
PID 2392 wrote to memory of 1584	2392	Egamfkdh.exe	39
PID 2392 wrote to memory of 1584	2392	Egamfkdh.exe	39
PID 2392 wrote to memory of 1584	2392	Egamfkdh.exe	39
PID 2392 wrote to memory of 1584	2392	Egamfkdh.exe	39
PID 1584 wrote to memory of 1876	1584	Ealnephf.exe	40
PID 1584 wrote to memory of 1876	1584	Ealnephf.exe	40
PID 1584 wrote to memory of 1876	1584	Ealnephf.exe	40
PID 1584 wrote to memory of 1876	1584	Ealnephf.exe	40
PID 1876 wrote to memory of 2032	1876	Fmcoja32.exe	41
PID 1876 wrote to memory of 2032	1876	Fmcoja32.exe	41
PID 1876 wrote to memory of 2032	1876	Fmcoja32.exe	41
PID 1876 wrote to memory of 2032	1876	Fmcoja32.exe	41
PID 2032 wrote to memory of 1936	2032	Fejgko32.exe	42
PID 2032 wrote to memory of 1936	2032	Fejgko32.exe	42
PID 2032 wrote to memory of 1936	2032	Fejgko32.exe	42
PID 2032 wrote to memory of 1936	2032	Fejgko32.exe	42
PID 1936 wrote to memory of 576	1936	Fdoclk32.exe	43
PID 1936 wrote to memory of 576	1936	Fdoclk32.exe	43
PID 1936 wrote to memory of 576	1936	Fdoclk32.exe	43
PID 1936 wrote to memory of 576	1936	Fdoclk32.exe	43

C:\Users\Admin\AppData\Local\Temp\23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23ccc5811a98d1c04baf9944527e7ef0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\Ckffgg32.exe
  C:\Windows\system32\Ckffgg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\Dkhcmgnl.exe
    C:\Windows\system32\Dkhcmgnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Dgodbh32.exe
      C:\Windows\system32\Dgodbh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Ddcdkl32.exe
        
        C:\Windows\system32\Ddcdkl32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\Dqjepm32.exe
        
        C:\Windows\system32\Dqjepm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dmafennb.exe
        
        C:\Windows\system32\Dmafennb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Eihfjo32.exe
        
        C:\Windows\system32\Eihfjo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Epaogi32.exe
        
        C:\Windows\system32\Epaogi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Efncicpm.exe
        
        C:\Windows\system32\Efncicpm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Ebedndfa.exe
        
        C:\Windows\system32\Ebedndfa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Egamfkdh.exe
        
        C:\Windows\system32\Egamfkdh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ealnephf.exe
        
        C:\Windows\system32\Ealnephf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Fejgko32.exe
        
        C:\Windows\system32\Fejgko32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Fdoclk32.exe
        
        C:\Windows\system32\Fdoclk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:576
        
        C:\Windows\SysWOW64\Fphafl32.exe
        
        C:\Windows\system32\Fphafl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        43⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 140
        44⤵
        Program crash
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddcdkl32.exe

Filesize
320KB

MD5
22e1ccc43df49cb4a157658a185db87e

SHA1
34573bf96df0c1a52f0dff8c36d5d8fb1eb263d6

SHA256
b1a293280d68225b3ab7d5f01cf6fc4a5fd0177da2e0afb0c7752720030508ca

SHA512
623c1a1813a56cc5fa84bf046db4bef1302af30f6fa314313c9fbdaed179ca83ff791d08f1240ead44f75a9ffcf34951f5391b4511e25e0da4038bbd40639566

Download Submit
C:\Windows\SysWOW64\Dkhcmgnl.exe

Filesize
320KB

MD5
f7acb1f62b45dc1a85d816472953edee

SHA1
7d43cb2d222d77e429fca2d27509218acb8c63b6

SHA256
b946207782c364ced5a91a1268ca7b6aee5cbe690905283cb6fa42167585cf79

SHA512
866910934c29f69f32dd301c3a4ed0b84bee30e8f66df3fdcf5afad1cb3649569d96fdd3f6493da849dc5d99b052d775b421f462505bf0e864f6eccd11749521

Download Submit
C:\Windows\SysWOW64\Epaogi32.exe

Filesize
320KB

MD5
cea4b8a61a0d9c7f9099bc4238cb2aa2

SHA1
b9f0fdf979a918aa31af652914da878109b5ca14

SHA256
def187d7243654746c8d05fe39c94a56341bacb8d91eeafe397985a8e88894dc

SHA512
978d95fe9eb0becc082939b21f3fea144a410fc836bbd29aab7be6f108ef865bf9b14c0cd20c4d3bad5fc86da1883cb0f82bd8c0efd74a282b61e404ae270c83

Download Submit
C:\Windows\SysWOW64\Fejgko32.exe

Filesize
320KB

MD5
aceeaff3ca6918c26149d57cee692a73

SHA1
51a3fbe8c9756b2bcefc16ff9ded92e140c8d353

SHA256
a04e02fb866079420ba356050d1acc75d8610493e635762b4137098c49b996bf

SHA512
30f4d17ba4f779dd0836ea531e6e3d5d476f0749b2ff2fac86e872792f8026b0a35e25e9755c965d34aa2931f73712ac772948db2dada9e00579d03b803f9706

Download Submit
C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
320KB

MD5
c60c33bd6eb39c1e443677228a667649

SHA1
b365f16e627806792d438db60e45572b4b346193

SHA256
e6adfedcccfefb467ebb7c27469429eb367dee46b8faed9a15dc85cd7307ad30

SHA512
27e28e2b30b29cf8403e35a045f3424947998baece06a0f74384463b6e8eaebf760ae05722a4a50123db4154ca4543493f01a2861567eddc6fbfcd565fa3ea71

Download Submit
C:\Windows\SysWOW64\Fphafl32.exe

Filesize
320KB

MD5
a80adb92b3be46d83a94ab8a221b8657

SHA1
7635fd10f62a09e02bc42ee10cb95d3c1b223fbb

SHA256
2b66d6044545e946da67f723a255338f2895e9b94f14d5164ea9041fc4923e14

SHA512
d9458628f34777d90d864a874b8e9fba85a44c6c9486cb87d831d61c13dfa32df9e0baecbe8876e6f13baac6fd3cf036302a4e58925096c9850c00ba4002fed4

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
320KB

MD5
1772f562f1dfe09948d0230cf1f6e2f4

SHA1
126857e4d6e0c248067655cfcfa5389a5e777696

SHA256
d8e000aba72e39dc2e6268b705c210a16737f0a48089ac973c2183b650b2480b

SHA512
4f6cfe1237862b165b371e1ac0384f9a43bd5bb1c092870c1dc15fc4de1a653bc6d07472c20e950e123794481e3aca5cbdb057dedaea97254568cc9d31fc70f3

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
320KB

MD5
9e581c0de1df1b5a3fcca978cc3e4d2b

SHA1
affbfecac7a266c1478008819c2c13ad30679e5c

SHA256
b32b1dc2af049e6e081d2eabda50f08caf13d0ea97294c677e9d89ae652aadf1

SHA512
1b5b77e153cf93d5ef1942658188db0a3b396d02a7e3b0ae6d0b0fd864c3abdf2502ffc3e6a186c1fcb201504d7207ac9777ee0451e19b607478ce246d5849d9

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
320KB

MD5
36678a4bbe337f102696407611521c9f

SHA1
5d0d180d672b36c72a178d85f29258598f0256f1

SHA256
2434a93dcf2e2e51a625602ea2829430aa4ea231f6e58bc3ddd725e897ead91b

SHA512
1ebffbb2152ecabfc2261b98b55be607ef2eb8808b8db048c4cd2ffb9ef4318f3c8956c7da4f1097913d1dc46c463d1996bed683137f7a0b64c878c1c99f1a2b

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
320KB

MD5
dc3e3099108d5c0af99e5e178f87ddf7

SHA1
bab85084c004c6d6e7948731d4b3ffc9b01069dc

SHA256
4baa0634102bec8ad6003b07446bba7820586ce871c6ea5e76486e79bdc54aa9

SHA512
2379518cad0ab8ad9da02333f0a4bc71367c0585b4b4d1ba6b08c5811fb58ec11d46210be61d288012526b9d5d4a05ffad1d71654f1bae368283e104d205c6aa

Download Submit
C:\Windows\SysWOW64\Ghhofmql.exe

Filesize
320KB

MD5
f5f95793499d173a4bfb63bf16a00bea

SHA1
d887ca148b24ef1b062f8e7ed9038e033059e0df

SHA256
a1f6e21102f485b56746bd32e79ec609b0adc0d378ae8282ef092b5208b853f4

SHA512
9382ccea4a3a182dfc140e755f450a0fe7e98276e9f22fc81cd33405eb258513ca1369e401e2aa65a82f8ddf54f54d1a809f162e9d3be85f2ac01a4b782384a1

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
320KB

MD5
ccbfa5aa483b5ba43055094af785be4a

SHA1
0b3cc71d3eee963af7ec4efe81e221d238a25746

SHA256
92148bc9e6ce2ef702c0ebad5e956f7957bef2b76424197f5b57c897746b3592

SHA512
b9c9b0b8e3da615cf03461a0570ee871e8be8fa69b9fe340fff2e6259c11364736ba8b8b7a0029846c3b38b2f55f73521dd9db5b604a4ed33f5b2f74a1f20d08

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
320KB

MD5
a38ea4e7ffc27a7bb9329a95e8aca6a4

SHA1
282b9c3ee217b70e444c479db670cb710825db0a

SHA256
54f698990f7bc0aae72ec8f9121fbe0845f0de48c716599e917967860b387d8d

SHA512
97d90d42a3570adc684b971e7479f9a9a2c684e60dfa314f51016af912a9235ecb7f04749648a26f7157463f821dfec16d6841ad649bb36f6b51c984ad33aaf9

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe

Filesize
320KB

MD5
ab04ab8116bddfc0c077e1a5acbd4a8f

SHA1
f7369a755a97647f2dd23d316afbecd24323eb64

SHA256
89a5be8a494cc6f6b9302532fd2b4ac8814ebc31d0c9055c0fa02acd61fdd060

SHA512
c29811d5537300b14f7c8d8858c33ac080376e02e4039aaa5eac7ad0cb5623a79dcdbf5bc7c6d5846f67087ce481d52e9bc78861dd931efab9a7d0aef45ef2e6

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
320KB

MD5
235c78bfd64dfcc2dfc7ee023c905468

SHA1
1c7a37bee8bdb0c3b405ea3084f03a1e014b898f

SHA256
884eff74c7a34759eac8628d72c9acdb2185f9f4f08cbea7dda94a3266526973

SHA512
c4a03aed223ebbdfe3d3e431832a09e836205a2fded7a2bc84225ddb976cdf7511a842c9c67398385ac7a785e5a7c1ca32e3deb598487d399c80ce7f2c075353

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
320KB

MD5
26ad98dc92d3b19681655427fdbcaa43

SHA1
70e9d8f16193af66e1f4210487ecb8e20b086b2a

SHA256
4982cd25bbc514ab54161e8626e8bf84b04c8d3faa77aa6a550d6c96b8cc6110

SHA512
2814b729ace54dd12b542be8afa7fa98fdaf4127fca04c39a6f3ede6fc81a8ce86510b19d3d97abb291e1a7f93519d0acdd8a241aaa76a204c59d7902704bb8d

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
320KB

MD5
71f8007960c3b003fbe992d6558c550e

SHA1
a44bbca902abcae20c89f19eb37cecc84a8b11a6

SHA256
b959433b4e7aa9955a43ac1f04de0113ca631bca7909b0ad645ba2e202609f2b

SHA512
c984e2e3dc2a6fd19fafb65ca66aca4cb08f5e84cf0575edd9e9620e73102bcf68612230187c5a9e4d1afb446f21d6c97032e03b4dbfe0ec92066eb54fabe71d

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
320KB

MD5
e5216782ff86bb02774a01def17a0d80

SHA1
c4bd0d78ff97876fbf422649996e0e8488438423

SHA256
69e32f9610f43f2e50768d08fa1a6756174a54039aa4af8395ea5aa06c7a9855

SHA512
c9ddf9c90c8c3a141f6e3c9a5bc293384bfc534257d7b601d093e3f6bfddbc0af6a823189d6b14d51057a4f5817976846356242ede6d5b4358f3f737caee9242

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
320KB

MD5
2ea2aa9f97af24095a45baa3792c8fe5

SHA1
e99bd3d84b1bbf9d01f1a3043e725a05d881d059

SHA256
a4f8e76f012c4a583fee7f75d0a26cad832dad651672d7f2d058a634a0e4c4b6

SHA512
e6912ef5a1bfc2c691f0ae598463eb32e2ab1fd7f0ff5f13173c6efaaff0d08bca804e539618ecf1da31a00833838ef580c5b3ccf6c25f55729eafa94cd6e827

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
320KB

MD5
ec44b41cb75484436a99a31c6af6fabc

SHA1
fffc417909960db410f3a262c819470e2ca7dda6

SHA256
8605e4cdbc1a9e03bc4c41110a45e04afc9e4a60e25070d21e4620b103131894

SHA512
bf75459dd9db06557c0d26db4f55ab80b3d5804ba461dea7574733a8771694e8a8d3d32813298cf40f25e9cbc6a250318b1ca9e8761be4ba17dcbd34d57ed31f

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
320KB

MD5
399b6489e8b51a7e248bbea70dc60716

SHA1
98f9288bdcc69fb2295d8dfde929f2a48ef063b7

SHA256
34938e40cde7069c538af49a657e59c9d00029b156dfb838c3a6207a1d7e8e73

SHA512
34654e40a26dffefa795c1a0449bd2115d73a6f2c26931ced69f0034a30ef4c685114a4be0718b0af2de0527c14df5b235d7c4afc8e6190ddca80609212b8342

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
320KB

MD5
e7833d01af48d20e6e9662faf88da003

SHA1
83f8b00f1561743f042583420bb463bac8d05859

SHA256
6c76345ca04a6d340e70bad6adde35b486cedf1b03621d9fb3773aeb91d43119

SHA512
347db903833849b87c525c7c7a352a1efbbc9ff013442bd02395d0ae48b63bb52218d17392e6bf456857cc1fef0b37a17fcc8acf3e7ff671bd215d9fac37d61c

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
320KB

MD5
7973d79bc6d1d33abb1ca5acfb325bfe

SHA1
dc59f33c79ad989299a849d01897783aa8900aa8

SHA256
0a4e828dffddaa8a258b3ad64254ac274a3d59b3585266fd792703d7c0339025

SHA512
dd655084e6391eac2f83d3983a698fbc8136720ec64d23c71b79f5bcd5413ff28b1e8b5ef7936a520133ec41bb28210283f78593dc2d1a5b9020b77ac2cd6d8a

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
320KB

MD5
ff8b399db4579b7da8c11289ec36618a

SHA1
19962bd157ed30d799c6d312fb65188f837e584a

SHA256
8906c40916155e544bea3781281117712af0ed1d844b8ae8c6c19ea23fec63cd

SHA512
3fdcdbd665444d085e6f2aa82cb533f8eede3834cd6cbb0d520229da762fe1ab3ecdf8d620d5b84e4d34793bfc4b3591a6c9add2b2e500201d3407d713f92408

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
320KB

MD5
e317aeb351cd828e11d76d808f51dd0c

SHA1
75002a57bf327f4f341d114c1e1a392d7cda6799

SHA256
3b4e5658d745b65e7a455d2d07562b117eefc64571be04ecf5af86f7b3fb0dc1

SHA512
a7ea313dedace09ff03a6fceeb049ec55c75c9ea06b6bfcff1f0a56e2478a399c819224ddc47f2320247b91c8fe8de3715601306ed7d9f76ffb36f50bb41917e

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
320KB

MD5
c618fb97f0cee538bdc63c0fd0357508

SHA1
c83e9aedc21f77320539e47e04f7ecc7dc18f252

SHA256
37d14576e75ee84f2fdf4908931958030c12fae583b07fe29a9d86fb05bae2b9

SHA512
33dad61a0bd1a1f4e559f60bd0ed8a9c73a7f8a81a813662a4aa69993fef9410f32945355365b0a96170ef9b0c98d487039cfaf44ad8529543e83b6f7e3961ba

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
320KB

MD5
77356ec17a9305299723fce3cb4033cd

SHA1
bbe12e5546fb999c42f1f4c88db984a6f4abab5d

SHA256
2e53bc9b9fd2c2951243287a359066ff97ff8a8ee995502af7d7499627fc3ff1

SHA512
3ff7bf6be328316c205509334bc6439571796814f7a88c9964abfb97291d94042fcef2e6baa7cd7bbe4663f842a1d5917c7385ef28257a68aac4f3cc3714fefe

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
320KB

MD5
b67683197e10f2e027a1f4cf1420a0dc

SHA1
23d2697536b9c50942de0b6636022df795995c9f

SHA256
ced32a8518886a2616f043834e9cbc18f44c8527e432032b4f0def148240d679

SHA512
722197a1a34fc82eb458760cd8d407c81ea062adbab2fc16e81a56aa5dab44dc4d7698475470f0696222b34ec60938cebf081a2599182856751de4566aabff84

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
320KB

MD5
530504cee2158e07e6702110570a5f65

SHA1
0ae4d1c302e90990aa531bee85db946a8b2ce919

SHA256
a365f9cd6adb9d9d5322bfd438466c88829d6c9f034e158569f59d8aafe0dd75

SHA512
6a741358ace7be80e7d620eb8328dc30cbb5bb3dcd8e614a57f388dcff1dc54e3ac65849684a283dbcd62a786b603f27c8831a81b06c28eef7729c4de88ff73c

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
320KB

MD5
64d78e97eed1650da074d3ded9aef6c7

SHA1
8daf23ccef5b7f88e9c97c832e3d1f297b3e02a6

SHA256
970a0203e241ab2abb2657602ec0cea7e0505fa9ae3e4bf0b694a6b6daff7e9e

SHA512
bd1ec3ff819419a2bfe58fda139dd8542511e36af651f5db6c46da7977a4052e386f8a3326fc4a04b53b4ee297c79d4c2e901d9e15c50faa4b50c266c484cef9

Download Submit
\Windows\SysWOW64\Ckffgg32.exe

Filesize
320KB

MD5
b81eb6cbf15a45c5dc7629ff2c7bd722

SHA1
818716f8c05b122c79127ec9cc38c6a0832aa7d0

SHA256
bb7b542916d98eabe76540a0ec341ab264b06694f9c31f814bfd3639522b8bf0

SHA512
012470f57114217303fc8382e599d0cca6ca7eb29c6f93c82ac35c754d22c6230ff1959326923d5d261abe846f215aba2606b8011813bc9533a94547c8d4d425

Download Submit
\Windows\SysWOW64\Dgodbh32.exe

Filesize
320KB

MD5
27098c3ee5a4eccd2f4ccd8e8c09c765

SHA1
70a27d589e34ca1f049923046f1bf8b5cb39e563

SHA256
95f7f27e6173b8e9bf5c7d64d28330857aae27e985b35ce9685af5ea7c3dcc63

SHA512
c0dd7588c938e31e104d53d97f4674d1373ae5e42a39a3a3af070efeec982bb495fd48a40d9616c3573a72ab72c6bd24c61f782cecfd7d6184b50cd0b407e568

Download Submit
\Windows\SysWOW64\Dmafennb.exe

Filesize
320KB

MD5
fe5d635fe654557e3e1df9a574e5a384

SHA1
4612d043b01433dcce3fb222d8603eb6d0fcd507

SHA256
2d49be58731154592f53ca949b58e6bd012995728951e0e71cc5fdd3dd4ed28e

SHA512
f0c57f01eaf744a2a4392f4859b2fd024713b1cf693d38ee54219ac6671559ac2e960beb5e99339d0853f2eb0eb444e279207400956fa7ad43cdef999de87bc3

Download Submit
\Windows\SysWOW64\Dqjepm32.exe

Filesize
320KB

MD5
137cbdac2998a5ca69756840eb9c19dd

SHA1
e29823de502b6548d62a6d398478d38f9a7ead4f

SHA256
67d4b861e0c2e226c7022fcc33c6f73e4e88ea8ba821fe9829276a4a0ebed36d

SHA512
96cc4b13f02cb8580570e2bf35684b29cad071c19f40b4da5da2003b20d80c56c6b2fae3c3a041f14fc865e68557ba52495c5eb8dbd6e39c3c4b5b77f2672703

Download Submit
\Windows\SysWOW64\Ealnephf.exe

Filesize
320KB

MD5
b858462b9da1be39c6585ca2f89bb266

SHA1
97bddabdd49b082d9928d768fdbf3a91fe8775d5

SHA256
c2c989bc309a5696f3aad1dd10e22c3bcf26da3b597c8d6934040b68d44d5d87

SHA512
08ff13851cac725e5e1c2a9e020db284713ed2ff802148f25a8c638e537b71ff0ac7af33b4351cba87f6c1cfa26cc71a3d814395b7cfcd8bcece42c60b4017ae

Download Submit
\Windows\SysWOW64\Ebedndfa.exe

Filesize
320KB

MD5
32b6a546298fdd5f5df8d31cd1f7f2a7

SHA1
a134fe51d46f7e3b3689e8c80c99badb8f3144d9

SHA256
2273cd7f1632b9c37fc6de55f457a46495f25d1ebfd39860857fa7e49ddad8f5

SHA512
017008371e782c7004e6ce9c3f13c970fc360036d74198195f60300360f97e0e24c5e34bfd0ff2273ffcb45460a31248f32246b56b4f2c6c5bafa60289ee7aaa

Download Submit
\Windows\SysWOW64\Efncicpm.exe

Filesize
320KB

MD5
713634f066cd0a3265b3ef07dcdd43d5

SHA1
f37207e75e2716e22f2b9365abbf58d10bf2a38b

SHA256
2a3fb5f82ea03be43c62921aff7be72c887f417541228ccebed96d92c6f4d62f

SHA512
0ff2706a0a46b96628080fee51cec80e55e018032dc666ead0fd980acf8a948ade9146e4c4f2a2d65690814f31fddc0463009642a43ae04108661dc090bb643a

Download Submit
\Windows\SysWOW64\Egamfkdh.exe

Filesize
320KB

MD5
9422da63fd159db756ebdbacef810263

SHA1
c87dabeab44ff5da48c13a3deb29b7eabea9583a

SHA256
5d4f461cca53134e49c5ab7b92102ee5a8e59b0d131c0aff1e9589199ad38005

SHA512
0cee0568d40aefe2cc614bd3983977570c71cb38e2b0dde4779637f8608a9b52f6dbce7ff1e39940c2e3939fe5f0000e04af9b2c2d2e246af1813861077da836

Download Submit
\Windows\SysWOW64\Eihfjo32.exe

Filesize
320KB

MD5
683a3cc4a92534dd353ddd59b21f1fed

SHA1
0191b0ab715f4a9847560fa060b4c6f2f40545a3

SHA256
d10ad9f00dd38022cc671203d2ca0c3b502c9a3de1b80873edd7f3188660aec9

SHA512
1c391ef39fa86682e6df1a2315bdfb7747d30751f4689fe432d28f0e6ea7e1c1b4078478122f0fbde8b30eae2ad6369f9f78d66c84eed8b0500a3aef7bf6c178

Download Submit
\Windows\SysWOW64\Fdapak32.exe

Filesize
320KB

MD5
017db71f2bbd2444f899325b3422b4b4

SHA1
7c6d008566eedd0bbc657886b99f5ad7c4d672a4

SHA256
289aa476d0c9ee743489c6f625ea0cb639c1a5045f780b2edabf059903ad4e8b

SHA512
dc11aa7d6ecd92b728f69a60b42aaaccbec153cc3a9ee1089ef854f7b1a01597958e9e77c2587395f780714783f91a6ef0a3569088a3f9f8c35b263863cf9331

Download Submit
\Windows\SysWOW64\Fdoclk32.exe

Filesize
320KB

MD5
8bf41c095ef568e26cdec1450c746922

SHA1
4c141f3d03b7a34f391537fdf18a10504b1f7cdf

SHA256
d3d6912e6779a677182235f0d054a910d59d9cddec925fadc2c12f425fb392d5

SHA512
c606c3ef572d853251850bfade976751d9f827eab67d120ed44ac540e243033664235dadcee23044371a75af218ea6f231e4f56b959a6782a840a68461904c74

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
320KB

MD5
fc7dd775d2e29b93da9cff2ed69b4af4

SHA1
228259eab7b7938383df94bc48d7a6c81ebf86a8

SHA256
fb94b4832f2a9f63ec1a886ad359efcf6422e0ced9544fe5917d4727cc513205

SHA512
f154d8e659949c8c91db234441e1af225d3c92cd5e1727538e713565a789d9d85c301c5a1f6da27384e6d621f55addb866f6d9cf522c4a0fd3c0397f679023d0

Download Submit
memory/316-461-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/316-460-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/316-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-315-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/572-316-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/576-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/576-234-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/576-233-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/692-305-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/692-304-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/844-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-264-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/980-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/980-258-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1136-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-327-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1136-326-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1316-77-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1584-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-178-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1588-349-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1588-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-348-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1668-274-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1668-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-222-0x0000000001F50000-0x0000000001F85000-memory.dmp

Filesize
212KB

Download
memory/1936-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-465-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1952-473-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2004-284-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2004-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-206-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2032-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-205-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2132-337-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2132-338-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2132-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-109-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2148-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-244-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2372-370-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2372-371-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2372-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-165-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2456-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-295-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2456-291-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2472-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-360-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2472-359-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2520-100-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2520-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-416-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2544-418-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2612-118-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2612-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-40-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2616-41-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2616-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-405-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2660-406-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2660-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-378-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2720-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-386-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2728-392-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2728-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-55-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2740-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-148-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2848-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-479-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2892-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-435-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2892-436-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2920-447-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2920-443-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2920-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-138-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2948-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-139-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2952-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-11-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2952-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2960-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-63-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3040-424-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3040-425-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3040-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads