3a304ee8769d08b578efcb8ffb1c1b36d399f266bc81bc319e4b1dec82dff993

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
Size

59KB
MD5

9bf13e756d2a6a087c3bbdd818c66ac0
SHA1

50071113189a1877ea0b6708d85d87297c91e0b9
SHA256

3a304ee8769d08b578efcb8ffb1c1b36d399f266bc81bc319e4b1dec82dff993
SHA512

ef39d31a2544efb999ed609d09d7a9e251d23eb1b36a445664a7ae102fe57621f890636d19f3e81e3b26b49dd7c39fa1ee9ca5ca265c1a538766de741e27a2cc
SSDEEP

768:yFVPmuwHzsQYMththuhbivnV7+X1qbDLFDZ/1H5O5nf1fZMEBFELvkVgFR:yaJHtYgObjMbVPENCyVs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe

Executes dropped EXE 38 IoCs

pid	Process
2356	Ffkcbgek.exe
2696	Fdoclk32.exe
2744	Filldb32.exe
1656	Facdeo32.exe
2496	Ffpmnf32.exe
2004	Fmjejphb.exe
1592	Fddmgjpo.exe
2768	Ffbicfoc.exe
2716	Fmlapp32.exe
1904	Gpknlk32.exe
1556	Gfefiemq.exe
1616	Gicbeald.exe
1420	Glaoalkh.exe
2324	Gbkgnfbd.exe
952	Gejcjbah.exe
2860	Gkgkbipp.exe
1408	Gbnccfpb.exe
844	Gdopkn32.exe
1120	Glfhll32.exe
3052	Gkihhhnm.exe
3000	Gacpdbej.exe
348	Geolea32.exe
1300	Ghmiam32.exe
1008	Gogangdc.exe
2396	Hknach32.exe
1220	Hmlnoc32.exe
1524	Hdfflm32.exe
2580	Hnojdcfi.exe
2844	Hggomh32.exe
2752	Hnagjbdf.exe
2520	Hgilchkf.exe
2596	Hjhhocjj.exe
2928	Hcplhi32.exe
1544	Henidd32.exe
2784	Hogmmjfo.exe
2172	Iaeiieeb.exe
316	Iknnbklc.exe
2448	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2400	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
2400	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
2356	Ffkcbgek.exe
2356	Ffkcbgek.exe
2696	Fdoclk32.exe
2696	Fdoclk32.exe
2744	Filldb32.exe
2744	Filldb32.exe
1656	Facdeo32.exe
1656	Facdeo32.exe
2496	Ffpmnf32.exe
2496	Ffpmnf32.exe
2004	Fmjejphb.exe
2004	Fmjejphb.exe
1592	Fddmgjpo.exe
1592	Fddmgjpo.exe
2768	Ffbicfoc.exe
2768	Ffbicfoc.exe
2716	Fmlapp32.exe
2716	Fmlapp32.exe
1904	Gpknlk32.exe
1904	Gpknlk32.exe
1556	Gfefiemq.exe
1556	Gfefiemq.exe
1616	Gicbeald.exe
1616	Gicbeald.exe
1420	Glaoalkh.exe
1420	Glaoalkh.exe
2324	Gbkgnfbd.exe
2324	Gbkgnfbd.exe
952	Gejcjbah.exe
952	Gejcjbah.exe
2860	Gkgkbipp.exe
2860	Gkgkbipp.exe
1408	Gbnccfpb.exe
1408	Gbnccfpb.exe
844	Gdopkn32.exe
844	Gdopkn32.exe
1120	Glfhll32.exe
1120	Glfhll32.exe
3052	Gkihhhnm.exe
3052	Gkihhhnm.exe
3000	Gacpdbej.exe
3000	Gacpdbej.exe
348	Geolea32.exe
348	Geolea32.exe
1300	Ghmiam32.exe
1300	Ghmiam32.exe
1008	Gogangdc.exe
1008	Gogangdc.exe
2396	Hknach32.exe
2396	Hknach32.exe
1220	Hmlnoc32.exe
1220	Hmlnoc32.exe
1524	Hdfflm32.exe
1524	Hdfflm32.exe
2580	Hnojdcfi.exe
2580	Hnojdcfi.exe
2844	Hggomh32.exe
2844	Hggomh32.exe
2752	Hnagjbdf.exe
2752	Hnagjbdf.exe
2520	Hgilchkf.exe
2520	Hgilchkf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldahol32.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Ffpmnf32.exe	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Ffpmnf32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Fdoclk32.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Ffbicfoc.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Ffkcbgek.exe	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gejcjbah.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Dhggeddb.dll	Fdoclk32.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Qlidlf32.dll	Fmjejphb.exe
File opened for modification	C:\Windows\SysWOW64\Fmjejphb.exe	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	2448	WerFault.exe	65

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2356	2400	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe	28
PID 2400 wrote to memory of 2356	2400	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe	28
PID 2400 wrote to memory of 2356	2400	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe	28
PID 2400 wrote to memory of 2356	2400	9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2696	2356	Ffkcbgek.exe	29
PID 2356 wrote to memory of 2696	2356	Ffkcbgek.exe	29
PID 2356 wrote to memory of 2696	2356	Ffkcbgek.exe	29
PID 2356 wrote to memory of 2696	2356	Ffkcbgek.exe	29
PID 2696 wrote to memory of 2744	2696	Fdoclk32.exe	30
PID 2696 wrote to memory of 2744	2696	Fdoclk32.exe	30
PID 2696 wrote to memory of 2744	2696	Fdoclk32.exe	30
PID 2696 wrote to memory of 2744	2696	Fdoclk32.exe	30
PID 2744 wrote to memory of 1656	2744	Filldb32.exe	31
PID 2744 wrote to memory of 1656	2744	Filldb32.exe	31
PID 2744 wrote to memory of 1656	2744	Filldb32.exe	31
PID 2744 wrote to memory of 1656	2744	Filldb32.exe	31
PID 1656 wrote to memory of 2496	1656	Facdeo32.exe	32
PID 1656 wrote to memory of 2496	1656	Facdeo32.exe	32
PID 1656 wrote to memory of 2496	1656	Facdeo32.exe	32
PID 1656 wrote to memory of 2496	1656	Facdeo32.exe	32
PID 2496 wrote to memory of 2004	2496	Ffpmnf32.exe	33
PID 2496 wrote to memory of 2004	2496	Ffpmnf32.exe	33
PID 2496 wrote to memory of 2004	2496	Ffpmnf32.exe	33
PID 2496 wrote to memory of 2004	2496	Ffpmnf32.exe	33
PID 2004 wrote to memory of 1592	2004	Fmjejphb.exe	34
PID 2004 wrote to memory of 1592	2004	Fmjejphb.exe	34
PID 2004 wrote to memory of 1592	2004	Fmjejphb.exe	34
PID 2004 wrote to memory of 1592	2004	Fmjejphb.exe	34
PID 1592 wrote to memory of 2768	1592	Fddmgjpo.exe	35
PID 1592 wrote to memory of 2768	1592	Fddmgjpo.exe	35
PID 1592 wrote to memory of 2768	1592	Fddmgjpo.exe	35
PID 1592 wrote to memory of 2768	1592	Fddmgjpo.exe	35
PID 2768 wrote to memory of 2716	2768	Ffbicfoc.exe	36
PID 2768 wrote to memory of 2716	2768	Ffbicfoc.exe	36
PID 2768 wrote to memory of 2716	2768	Ffbicfoc.exe	36
PID 2768 wrote to memory of 2716	2768	Ffbicfoc.exe	36
PID 2716 wrote to memory of 1904	2716	Fmlapp32.exe	37
PID 2716 wrote to memory of 1904	2716	Fmlapp32.exe	37
PID 2716 wrote to memory of 1904	2716	Fmlapp32.exe	37
PID 2716 wrote to memory of 1904	2716	Fmlapp32.exe	37
PID 1904 wrote to memory of 1556	1904	Gpknlk32.exe	38
PID 1904 wrote to memory of 1556	1904	Gpknlk32.exe	38
PID 1904 wrote to memory of 1556	1904	Gpknlk32.exe	38
PID 1904 wrote to memory of 1556	1904	Gpknlk32.exe	38
PID 1556 wrote to memory of 1616	1556	Gfefiemq.exe	39
PID 1556 wrote to memory of 1616	1556	Gfefiemq.exe	39
PID 1556 wrote to memory of 1616	1556	Gfefiemq.exe	39
PID 1556 wrote to memory of 1616	1556	Gfefiemq.exe	39
PID 1616 wrote to memory of 1420	1616	Gicbeald.exe	40
PID 1616 wrote to memory of 1420	1616	Gicbeald.exe	40
PID 1616 wrote to memory of 1420	1616	Gicbeald.exe	40
PID 1616 wrote to memory of 1420	1616	Gicbeald.exe	40
PID 1420 wrote to memory of 2324	1420	Glaoalkh.exe	41
PID 1420 wrote to memory of 2324	1420	Glaoalkh.exe	41
PID 1420 wrote to memory of 2324	1420	Glaoalkh.exe	41
PID 1420 wrote to memory of 2324	1420	Glaoalkh.exe	41
PID 2324 wrote to memory of 952	2324	Gbkgnfbd.exe	42
PID 2324 wrote to memory of 952	2324	Gbkgnfbd.exe	42
PID 2324 wrote to memory of 952	2324	Gbkgnfbd.exe	42
PID 2324 wrote to memory of 952	2324	Gbkgnfbd.exe	42
PID 952 wrote to memory of 2860	952	Gejcjbah.exe	43
PID 952 wrote to memory of 2860	952	Gejcjbah.exe	43
PID 952 wrote to memory of 2860	952	Gejcjbah.exe	43
PID 952 wrote to memory of 2860	952	Gejcjbah.exe	43

C:\Users\Admin\AppData\Local\Temp\9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9bf13e756d2a6a087c3bbdd818c66ac0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\Ffkcbgek.exe
  C:\Windows\system32\Ffkcbgek.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\Fdoclk32.exe
    C:\Windows\system32\Fdoclk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Filldb32.exe
      C:\Windows\system32\Filldb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Fmjejphb.exe
        
        C:\Windows\system32\Fmjejphb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        39⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 140
        40⤵
        Program crash
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
59KB

MD5
0a3c7f49cb37103ee064c148fed4d09e

SHA1
19403b786489aeb485293ed0d2b9df920cc7676e

SHA256
d3ac3ea98c67d07119e51f5d0840a9ce8c559d47da2a97939830589f3d6ce136

SHA512
0a71565f2649f3b0f14f8a4501c35221e1d8999b5a260b9de4846d0b8d63fabf993ec860c05865d4259f62377d600428d24b6e1a617fb5fa23fad364c3e7c54b

Download Submit
C:\Windows\SysWOW64\Fmjejphb.exe

Filesize
59KB

MD5
a20a42dd0a57b26c43e0b408b7e809f0

SHA1
222598b0a709e465f6f3e07c20622646de3591a4

SHA256
a14b956aa7d6aa36d1950c553460a968294793c973498de0b9babac6de31e00b

SHA512
88ee1e992870104ca33b1199059e4a8d48e8a0f095dea72234c89d72fdcca134bb29d514317bdc16d52a64da833aeac23bcdc4b10e902f29ef28383260b2b621

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
59KB

MD5
7b5010c20b3e34bf4313f6d913f0d1a4

SHA1
f8d9bd5422a64841751114a11cddcb64e5a9dc2a

SHA256
634581cf4dd4c48c64c7a89e5460a3e287e224f5c840811f3946d551c53146d4

SHA512
fff297390ea3fcdfdec24d7654d4d6539dabfe8d2737b20c457599e05e12748a37376abd5c632f9e3500da04822b9cdbfa8dd093967b1aab1171eb2150c3dfcf

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
59KB

MD5
74ec371f6942e5a0b61b89efd1264c7e

SHA1
969a992dd89137b8bcb9fb558bb088bd0c7904fa

SHA256
4fb8a0e9bb2255df65fb39a27d27cfea51ed9cc2d10751dd997d1f437c26e544

SHA512
8fc9906ca99c1c3ea82fcc8075ba8e8e6488cff1ba31023bb63ff9f35b4a8a91e40dc62290251edd4bbf87c0315f5a37117d36b29411bd1b0bf17d86ce0b3eaf

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
59KB

MD5
e25846833b59cb082432a317cc04f06b

SHA1
2654fe3087a8c7c35de9dd339f18c6122245b3b0

SHA256
de18aeb58c7382c9b341fa7c6f4263dfa9d693e3a055d2681e9ad7e28ecdadd6

SHA512
94124fbb2583dfd13ab8e1007b5b96359b11d18d4ef8b7a29ae061345903f9f267c9f36451043aea4752831bbc2d5cdae3744cffe8c2ffeca46bcaae8843af28

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
59KB

MD5
f94db079315f98852ad2faf8874cca00

SHA1
ba04e0de53c8591ac8496375ee4f6ffca69fbefd

SHA256
d213eb3a793d6a5122dece7983784fd9bbee3f80b4dce51586ac198179803c56

SHA512
6a032fdff2dd0272ec4771fb8e83bc8ef43ebc8dad93643d57a1638676ba2018afee0d2a617f9346134311d5f5cd8399ddce70045616114fdd3b5242fccafbcf

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
59KB

MD5
7b28ecbff55d1b8b5b041b06aca8d6c7

SHA1
dadf6647f399cb634902aa164b3434ef66da874c

SHA256
f160d5369b02fab98f73f16542cc98a17004d2a1775bbf7d76bc16cb8c5d907e

SHA512
55ca2b71447b3a4ae1b8439700f3aa79556d5992946a7877303aa794e60860ac5a8a7f9fde5c296c66caef96e1ff493db8e022e1f653dcd584d5f506b18abe7b

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
59KB

MD5
44877844e9d17ffe5111981f5dd22c5b

SHA1
2dbc85901e64a06fb6e32611dca1a4b52e2b4a78

SHA256
eab51bce36520544fb50865a3c74a15cbe1f87332ea8ae89466cbda54ed791c9

SHA512
de4182b70ed1355867812d45f181fb83930a9d36cf0c151a89e46826dbbad2d14c574477d0411e671dee23dca907040851067739ad91815e8c9ef5e47ed80806

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
59KB

MD5
0da7f9dc8bbec1c1ccb84abac462505d

SHA1
f44d532d0ded612f8ca426c7fa6a6a1e34b4cc0f

SHA256
8a9c6e1a43276b7ee1611b06d0dcc38df1eaa2bf13b3b77419dffcf112548122

SHA512
fcaed91abe5ae680344f49a6be1d40a1cb6796ec7b8b8170cac5e106d3224fc82042c96066c3b562f97c5d16d5086c11d8a415f5764ff02b9d67b11c0908003d

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
59KB

MD5
156e6815648df5fd9f8facd39d78f6ad

SHA1
47293af2f7a4b7b8d15e669bdcbb941c9a45ba84

SHA256
e006f97cd7b3f102f368a491ae481ba08732d14e2e033b938692652bc85f4de1

SHA512
f41ce072e6b0ca6c6f693db97714c7eea544d547495b9439c74dceb1f9d43e383fac1abcb488137a10e5942d36551212a0b0a5775e66b3fe8ed72c6211fb3273

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
59KB

MD5
b6308b5392b247db16963a83b5ec16ab

SHA1
f1c6b752bdcef86cade7c6b75c608d986b035d1a

SHA256
b84be7b552f07054fe9c1fb38342e59930f3d4dd7c4cee7b711e74d928047589

SHA512
f804d2094ef417fa8b0c62df672fc86383c21226ec24e5ecab83cacb54a6f347a143cd210967b63536c9c0c37431ffe34ed5dfd6cf37f408a6b2756bbc8ccd21

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
59KB

MD5
1b84eb5613efa2462918ed148d4fc06d

SHA1
55af1abdf725c386139c0e15d4185e3930c93dec

SHA256
313326067150c2ef68fada6c320bd94fc67ae682bef4e72a08124aabc337cc3a

SHA512
90436517be1d4348ff0b966ddf4533631c27c651fda3f5e9717a786edb0c994f80e9025f4f4f0d5d67321c19b56bfef0008594482ce1c2a980842cc0ec1f4d46

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
59KB

MD5
2237dd8a5f768efdb3766112b97719da

SHA1
92b31bd1ba51c5ab337f2d17a0b143649839e77e

SHA256
72c22ef2c4b99b63f796628df0d8794495fd64e441664c2f661f75db5db2eab1

SHA512
064203b2cca1eff7974bbdde749faeb4222097febcbf5b3e0eb9951a23a1836426ccb4ebef534ab189ccbff2038017d6706b107d892883072e1cf3bbd26a42c4

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
59KB

MD5
97dce6e181b3812843a1dfe5a789d777

SHA1
27d05a3fc93487449e117bcb7c26507076a799d9

SHA256
31a98b36000ba62ee532306fabda82374daf26f7336efecec53ccb23a03ebf21

SHA512
3978a66939e32596f4ffe8bf0169ffbea60d52b3774ac684e578c74e3d0855138ee45bcd09d107ffdb8d7ae46562ff883ed5dc3344ed066251785fd785bfd4f9

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
59KB

MD5
7124486149fbb55f6566058e0fd2d975

SHA1
954f1b1d43f7481074d7e9b0a2e81b499a4e4a7d

SHA256
cc8cdafec8c4bd3bd69c7434cbf8a976c890ecca9ccf6910c4be0f88000a014d

SHA512
481c706f3eceebb5f51610168b0c7bebf86e6198dd9c55a705a716ccaa386bc1f073abd35213ffabb79f6775053d8f280fc50e3f10344df1b2d65aec2b9eceb5

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
59KB

MD5
85b638f5e781cf34e1d21585f1473814

SHA1
4522c7589f24d436401c662dc0ceab2010538d1b

SHA256
43995f706a4c1259d45626099ae52141c8c90332a1adecd484c3ca8f726c91c3

SHA512
f7bb17ba93d5d3487c5cc91d655a9afb7ed70182327d366ed6b80e11d01d7f0ff60c79a8df247ae7c5ce64e868f9017fd86d43622be07c353037b75d16d046db

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
59KB

MD5
e53154b53906f148c0f979386d4b67d3

SHA1
f41645744b699519f7f62d6bb84fc7b0171c7691

SHA256
418fd1597a5dadb748b88fcb629b61481f537eeb373884918786ea919be427b1

SHA512
543a34925f7ae945ec13ec31734a446dd717a4187819c1350ed1d23a3be8cbdd0491a70c23226572b50843f0049386288805e31f9c064a996a2ab1bd2ce9004a

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
59KB

MD5
90938b596f4031d0b56fb18c94e500fb

SHA1
5c987f7be5b3485d5467a88ecd896258bdfe7ba7

SHA256
dc5a2e07a55a01c5ca59962fac42444c7d7c93c96ad42018e45a81eeae69b974

SHA512
c97dac5f5c910048028e3d525e168ace48ac597e2d660f0b2835df9e7ad47cce5679670f0f49e8dc525fea719742ddd9cd04c5ca874a69d2d87bd34b1164df37

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
59KB

MD5
13042117172c9c4ff3fecc9f62f382ed

SHA1
dd3684c9273053fb4c7eefb8d03c9115721743bf

SHA256
d8c72820a0a1c6133cac431cbcf3d154d61281b1284143e45ac25167ec0480a3

SHA512
9d9222166c078964bbcea90aa053ca26e20ef9618a31f74e45e11eb3e1af7e5de6a1e651be93e7774e5faf1ebcaeafa97524f9dd04c14ca2597dbf8826b1c2b7

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
59KB

MD5
b22974a3718426725168e056d9458219

SHA1
99aa24d6a421fae4683f8fb60d72b8664cf088b7

SHA256
3faaf66a2afe71ef9261aa736ca46b76b478ceb29af97a95c5a1c0f1ffbcc04d

SHA512
ae4a8e727c045d03e2354029859f2ad3672e0630fb112ce5361267f620683b2554c5e6167de8bc9332ed92399295359b19f652e07b2f03b12e8987b0324d5d92

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
59KB

MD5
b71a959b182556b8281bcb15832cc9db

SHA1
6d615038d101adca05e39a6568f1ea7f920dc4fd

SHA256
e32cf69c2e86f38271b8bde902708f84debbd35ecc6da3579581061522ec10a8

SHA512
5474ea55cc5dddba15d6ad532d818c00eb79c93d16ac2a5f84e81e97eaefedd4dfdec7774b02aa416e8ea00ee86109ba62dd971f19710800fc1a81cc077c3aa5

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
59KB

MD5
f3c0df893ad3789a82f988a6da33145e

SHA1
246a559153d167c57b4c497fd6f9a32db7815059

SHA256
31e9995cdefbf68f75276a22469234c7443ae97d19a3bd50775121ceb063859d

SHA512
377e757c3af8e6c15d0327a370bda98857f304b211e6df06c553659e77de87bb7b6c1e41b5359902b90d2c53c247babd8df4d594e3716c78634b46e08581ff72

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
59KB

MD5
bb83342756f8934401a9f7d13aaa37a1

SHA1
d9727063ff552662ba772baf6ad7a2e129a225d0

SHA256
3f20793704aaee39ee8a724e4f6d034a73d440d876295d3b8db0718ef2bc3f65

SHA512
34b396952d7087d89b428f77062aca55fcac947908d9cf4f3d76a6a8c000330ff67ca6d0b132b81d400750a0434d330587c370951680f7ee4779b1152d7aff8a

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
59KB

MD5
73839cb7c2cd9ba84c6c5584833dda62

SHA1
88d6b29da4253b7650a855ea74376711eed039e6

SHA256
8fb0fac86d12d76f85fd3c296a009c28a4b02e241c9feab7a6517a361beff81a

SHA512
4cf8505b8696164f3a76587209c12f7709a64e80fd6f079232a732d4c07fef57c804d1f6d5e66c7812fe2fb40b9fdc4e0ac6fc9a3af1fe0f9d34d80be979b006

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
59KB

MD5
650e6d12f05de9f00200cc65be6afd66

SHA1
1c3d7438e5315e35e2af212c01feacae0d8b97e1

SHA256
f8465f640c49ea902d70986d8e65ab2ad42c866ec3185547e1457754ad7e2e0a

SHA512
3c1e3dc0f4a2fc6443d869d986aa608be187766e7fca97f54a5b2077c786fbfa77b1d4c7d5a7efba4d54caf8e604c6e1917a1a0a34a5a712dfad1ea7dfa5ac51

Download Submit
\Windows\SysWOW64\Fddmgjpo.exe

Filesize
59KB

MD5
57aafecd021362abd5c8258080d9839e

SHA1
ca2e5b6a76f66e139765bbbe6c80f8dea90127b3

SHA256
3af5dfb154b3193707d92b6a81c90e63db0a5da69540b6e615297253dad0e86f

SHA512
b3f7ddc9f1b42c455974286c1b1538a6eac0645058cfed81c9266c6fb2571a5d8d3133eba5b35ce7788f52e4d0ebd913fe55ab2cce72233df384a1a672dd2ca3

Download Submit
\Windows\SysWOW64\Fdoclk32.exe

Filesize
59KB

MD5
b6d73c51bb1574e40962d1c8895f9fa8

SHA1
1a30ac8edc2270f05dff82d59a304ce10c808b82

SHA256
4f6491198dd36cfa1dbe81c13a7603b8d4bf892127ef4c6b925bf611b33b1064

SHA512
3acf6824bb8a6658c151182a4f2f6e30c55a9774878486b5372a3fe211d375a97969ef8f63a62267480d65071690c16a00d2f2ee1948298072e6326385433a4e

Download Submit
\Windows\SysWOW64\Ffkcbgek.exe

Filesize
59KB

MD5
15539183f6d5ce91b60fdaad05ae54aa

SHA1
970684469c297018b9fdb2a51d7d2e16851e6401

SHA256
d1e1bf8dcb5bd4fef49d29bed61e145daf5fcf38adcbd90519e8d9997858fca6

SHA512
32f2eed35f57399f8771a41087ef30cf931e783dcc79cac997883885267cc188266be2e2e921a8db699e2764a39095aa1b86ce5639a91ddeaed4cf9eea10582f

Download Submit
\Windows\SysWOW64\Ffpmnf32.exe

Filesize
59KB

MD5
3cd90d6071e37e7bd09c228a4a356e2c

SHA1
170b6ec0da6b64d0ae5339ea863da25cc526704d

SHA256
a234f440d439c7b42db6c0b1ce6be164689b7afaf752a3378723a206ffec7558

SHA512
cbc753662e68ab8a90d4123d9ceb5a5b03e7d13dd585d880da1eb248238e690a54e82ec9a6a902622c985379ce457a8b4431209b622228e88dc85d7ded525709

Download Submit
\Windows\SysWOW64\Filldb32.exe

Filesize
59KB

MD5
1f2e1720d4831d0e8275278cff46345c

SHA1
debb769b0be2a93eff29b1814a0858758eca9038

SHA256
269073f99198c16b713ab7ea311d3a5a789ebaf88dc321b4f1c0514402e66129

SHA512
22699bf4ee4d337edbb73e3c40e78e4538192fad148eb0a7c49fe05edab15e7292d7b8b413d38edd579012362acb31cd574fbbf06381cfc4eaf30e24bee53c96

Download Submit
\Windows\SysWOW64\Fmlapp32.exe

Filesize
59KB

MD5
924f2cf0c34fe6f423cf332b87bcac78

SHA1
9fd24cf0d2b05a5a8d593ffb189a224d6cb1e4d9

SHA256
0cb927d42772398677d4f87ccbf208e6693b26b6e8c92060e30fe0e1b137ab6e

SHA512
6597cb25dd9c57736227fb82dd66c4507b7d282a9e724fb3109894d3e91dc01066bb731173b8fce9e43c0965d20063d7de0965617f53105757465b67cd2ddfbf

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
59KB

MD5
224a0a7fa23e6e285497d3f2a044e7e5

SHA1
e75bdfe55223cbd73db870f8ab9ca9dd14ac69d8

SHA256
924203b4f7f35950851a1afe2606912f905d2e5de6bc76c444ccd07e8d00613f

SHA512
90e256c0c8814f937a436066a0b8089c0020c320c349f37386e954e5c1b10b9f05ad63e0bab2602afded6e5d955e3b388f55eea18aed7004eb6d29635205ab74

Download Submit
\Windows\SysWOW64\Gejcjbah.exe

Filesize
59KB

MD5
f4524c2efcc0f0d722bfec668bd5c39f

SHA1
ae77866696142a32ca24778e381c5079e5bb3888

SHA256
35384afe2c8926d50388dad5a4ddc5c7da4fca61607cbc1747c6718606da9e7b

SHA512
0be97271ed7b254b3f70e8d881e56aa682b2536a7d4bc466feb80c5d6263011da4e4f00bb8b0db79a48a5777951df9c6bd575d431b940917acbab589df945a23

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
59KB

MD5
b33634ca7993b48df14d7b3c75b18d04

SHA1
899486112e8712164c4e390fce4b31ea19f38e40

SHA256
9958ef34c740c0b84bdfcce6b030faba82ba0d647da55a71257e75d726009604

SHA512
119d0451db13aeabaeb930e8114b1c57623c6d28d73961ba8dbe85677e968e92f13a26daddd020c5efb5688daf9e6002f6ae3b023dfe95642cad01ac85ec3d98

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
59KB

MD5
4f606275a1be7becce2aa30c6e738bb6

SHA1
5a9a70c846b840613e0012bdf9404a46f6997ebe

SHA256
5a23ae4e77851c231aed4760c3364377741b1ba5e0b76658fb5ed18bc5ceec90

SHA512
4a6a4bd49f147c9b14dcaa5bd20b318ea7939fed5e844eecebd4545a36322b0c966eb804c60ebd59388ba74df24f0227d49bec3a8040b9ef8fb13510c2f22e05

Download Submit
\Windows\SysWOW64\Gkgkbipp.exe

Filesize
59KB

MD5
03e771de09c641a5fcb5871b7e82cd4a

SHA1
d024008b4428bfa2808ba53cc3d7409d8ccd4b4e

SHA256
0d23c1ecd2d464555abb47c642486b5ad845610971b137df03145d11b25dd034

SHA512
056aba93fb5333b1190d11d4d179c73ff506659a90621cb6e0febdb6947e0f865d83c0e796724c182845618e8938a4787d2b861da12bf79ab5c964490ae06984

Download Submit
\Windows\SysWOW64\Glaoalkh.exe

Filesize
59KB

MD5
8806885e2b963309909e3a1fc5cc28aa

SHA1
7cb63d0baa269d319c2cb912376abebe9e32f644

SHA256
902073a02e7b2b290f2faeee92eefcf66deacc616b28976bcd1224c566132c78

SHA512
f4fd8b233656c1332a98689401ca6d653554677cd2e592a6131dc1456e1705e976916443bfb2205975a395c0f6bd2b3bbed571cef87f90ced1f5542061c4e72f

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
59KB

MD5
8ec1ea6d5b14c1b52bb8c7bd68b37183

SHA1
4216b349bca7324671049642f9e0f314a37def74

SHA256
c8a2162660ed627d4dd87806cf2250b128ad9debee19ac97df4a3c6451a58852

SHA512
50f83a313136e4f1c2a497ccb93d4ca1705702a8ef47884ef6cceea2b98dc659cf26b3107a47dc12b860d26e310dbfbbe139f2069a3809f33eb987bc2e2a6c80

Download Submit
memory/316-436-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/316-440-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/316-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/348-273-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/348-274-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/348-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/844-233-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/844-460-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/844-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/952-457-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1008-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1008-296-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/1008-295-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/1120-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1220-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1220-313-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1220-318-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1300-285-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1300-284-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1300-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1408-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1524-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1524-329-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1524-324-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1544-405-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1544-406-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1544-396-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-453-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1616-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1616-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-61-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/1656-446-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1904-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1904-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2004-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2004-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-427-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2172-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2324-188-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/2324-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2324-456-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2356-26-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2356-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2356-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2396-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2396-306-0x0000000001F30000-0x0000000001F6A000-memory.dmp

Filesize
232KB

Download
memory/2396-307-0x0000000001F30000-0x0000000001F6A000-memory.dmp

Filesize
232KB

Download
memory/2400-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2400-7-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2400-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2400-428-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2400-429-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2448-441-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2496-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2520-373-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2520-369-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2520-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2580-340-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2580-339-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2580-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-383-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2596-384-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2596-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-444-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-39-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2716-451-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2744-445-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2744-46-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2752-362-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2752-361-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2752-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-450-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2784-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2784-413-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2784-417-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2844-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-347-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2844-351-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2860-458-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2860-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-385-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-391-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2928-395-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/3000-264-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/3000-263-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/3000-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3000-463-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3052-252-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/3052-248-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/3052-242-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3052-462-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads