7535a30a2ad1c0eab0f548e75880147526eaf042f51f51d8cf1471e69f5b9015

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Size

434KB
MD5

1cefbb0182282eeee18fa3de3a3ee690
SHA1

598b59f6970ab149ce516b29398dae4799c7b5c1
SHA256

7535a30a2ad1c0eab0f548e75880147526eaf042f51f51d8cf1471e69f5b9015
SHA512

f0c6ae6997fd28da5aebd7dc2ed285f73dd4d87ff8bae2899d27e1cf5604741680f37b1c26ad471a1149b05f415d9c280b645038d2ba9dd0319fab782d759bac
SSDEEP

6144:QpZ3bDQxSGYwVnXMo0X+mYJhqoxGfDxIAmZ4IB2mMWjWVWreN3SUeDRiwxELHIE0:QpZ3fG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpgce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcbqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbhnaho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdjbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbehoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbhnaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgmglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe

Executes dropped EXE 32 IoCs

pid	Process
1280	Bpcbqk32.exe
2104	Cgpgce32.exe
2924	Cfbhnaho.exe
2712	Ckdjbh32.exe
2232	Cndbcc32.exe
2584	Dgmglh32.exe
2688	Dbehoa32.exe
2880	Dkmmhf32.exe
2340	Djefobmk.exe
1048	Epdkli32.exe
2620	Enihne32.exe
552	Eiaiqn32.exe
1192	Ffkcbgek.exe
2940	Faagpp32.exe
560	Fbgmbg32.exe
1824	Fiaeoang.exe
1140	Gobgcg32.exe
1748	Gelppaof.exe
1064	Goddhg32.exe
1296	Gdamqndn.exe
940	Gmjaic32.exe
2188	Ghoegl32.exe
1028	Hmlnoc32.exe
880	Hkpnhgge.exe
2424	Hdhbam32.exe
2900	Hnagjbdf.exe
2704	Hobcak32.exe
2780	Hlfdkoin.exe
2624	Hacmcfge.exe
2884	Hogmmjfo.exe
3020	Idceea32.exe
2400	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2228	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
2228	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
1280	Bpcbqk32.exe
1280	Bpcbqk32.exe
2104	Cgpgce32.exe
2104	Cgpgce32.exe
2924	Cfbhnaho.exe
2924	Cfbhnaho.exe
2712	Ckdjbh32.exe
2712	Ckdjbh32.exe
2232	Cndbcc32.exe
2232	Cndbcc32.exe
2584	Dgmglh32.exe
2584	Dgmglh32.exe
2688	Dbehoa32.exe
2688	Dbehoa32.exe
2880	Dkmmhf32.exe
2880	Dkmmhf32.exe
2340	Djefobmk.exe
2340	Djefobmk.exe
1048	Epdkli32.exe
1048	Epdkli32.exe
2620	Enihne32.exe
2620	Enihne32.exe
552	Eiaiqn32.exe
552	Eiaiqn32.exe
1192	Ffkcbgek.exe
1192	Ffkcbgek.exe
2940	Faagpp32.exe
2940	Faagpp32.exe
560	Fbgmbg32.exe
560	Fbgmbg32.exe
1824	Fiaeoang.exe
1824	Fiaeoang.exe
1140	Gobgcg32.exe
1140	Gobgcg32.exe
1748	Gelppaof.exe
1748	Gelppaof.exe
1064	Goddhg32.exe
1064	Goddhg32.exe
1296	Gdamqndn.exe
1296	Gdamqndn.exe
940	Gmjaic32.exe
940	Gmjaic32.exe
2188	Ghoegl32.exe
2188	Ghoegl32.exe
1028	Hmlnoc32.exe
1028	Hmlnoc32.exe
880	Hkpnhgge.exe
880	Hkpnhgge.exe
2424	Hdhbam32.exe
2424	Hdhbam32.exe
2900	Hnagjbdf.exe
2900	Hnagjbdf.exe
2704	Hobcak32.exe
2704	Hobcak32.exe
2780	Hlfdkoin.exe
2780	Hlfdkoin.exe
2624	Hacmcfge.exe
2624	Hacmcfge.exe
2884	Hogmmjfo.exe
2884	Hogmmjfo.exe
3020	Idceea32.exe
3020	Idceea32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Epdkli32.exe	Djefobmk.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Faagpp32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Dkmmhf32.exe	Dbehoa32.exe
File opened for modification	C:\Windows\SysWOW64\Dkmmhf32.exe	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpgce32.exe	Bpcbqk32.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	Eiaiqn32.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Dbehoa32.exe	Dgmglh32.exe
File created	C:\Windows\SysWOW64\Ppmcfdad.dll	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Bpcbqk32.exe	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cgpgce32.exe	Bpcbqk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbhnaho.exe	Cgpgce32.exe
File created	C:\Windows\SysWOW64\Hpenlb32.dll	Ckdjbh32.exe
File created	C:\Windows\SysWOW64\Dgmglh32.exe	Cndbcc32.exe
File opened for modification	C:\Windows\SysWOW64\Faagpp32.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Goddhg32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Gclcefmh.dll	Bpcbqk32.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Epgnljad.dll	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Iecimppi.dll	Epdkli32.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Dgmglh32.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Lkcmiimi.dll	Dgmglh32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Epdkli32.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Dlcdphdj.dll	Cfbhnaho.exe
File created	C:\Windows\SysWOW64\Dbehoa32.exe	Dgmglh32.exe
File created	C:\Windows\SysWOW64\Glpjaf32.dll	Djefobmk.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Imhjppim.dll	Cgpgce32.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Gelppaof.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Ckdjbh32.exe	Cfbhnaho.exe
File opened for modification	C:\Windows\SysWOW64\Cndbcc32.exe	Ckdjbh32.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Gelppaof.exe

Program crash 1 IoCs

pid	pid_target	Process
2404	2400	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll"	Cfbhnaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbehoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll"	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpcbqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Epdkli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll"	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djefobmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckdjbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epdkli32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1280	2228	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 1280	2228	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 1280	2228	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 1280	2228	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe	28
PID 1280 wrote to memory of 2104	1280	Bpcbqk32.exe	29
PID 1280 wrote to memory of 2104	1280	Bpcbqk32.exe	29
PID 1280 wrote to memory of 2104	1280	Bpcbqk32.exe	29
PID 1280 wrote to memory of 2104	1280	Bpcbqk32.exe	29
PID 2104 wrote to memory of 2924	2104	Cgpgce32.exe	30
PID 2104 wrote to memory of 2924	2104	Cgpgce32.exe	30
PID 2104 wrote to memory of 2924	2104	Cgpgce32.exe	30
PID 2104 wrote to memory of 2924	2104	Cgpgce32.exe	30
PID 2924 wrote to memory of 2712	2924	Cfbhnaho.exe	31
PID 2924 wrote to memory of 2712	2924	Cfbhnaho.exe	31
PID 2924 wrote to memory of 2712	2924	Cfbhnaho.exe	31
PID 2924 wrote to memory of 2712	2924	Cfbhnaho.exe	31
PID 2712 wrote to memory of 2232	2712	Ckdjbh32.exe	32
PID 2712 wrote to memory of 2232	2712	Ckdjbh32.exe	32
PID 2712 wrote to memory of 2232	2712	Ckdjbh32.exe	32
PID 2712 wrote to memory of 2232	2712	Ckdjbh32.exe	32
PID 2232 wrote to memory of 2584	2232	Cndbcc32.exe	33
PID 2232 wrote to memory of 2584	2232	Cndbcc32.exe	33
PID 2232 wrote to memory of 2584	2232	Cndbcc32.exe	33
PID 2232 wrote to memory of 2584	2232	Cndbcc32.exe	33
PID 2584 wrote to memory of 2688	2584	Dgmglh32.exe	34
PID 2584 wrote to memory of 2688	2584	Dgmglh32.exe	34
PID 2584 wrote to memory of 2688	2584	Dgmglh32.exe	34
PID 2584 wrote to memory of 2688	2584	Dgmglh32.exe	34
PID 2688 wrote to memory of 2880	2688	Dbehoa32.exe	35
PID 2688 wrote to memory of 2880	2688	Dbehoa32.exe	35
PID 2688 wrote to memory of 2880	2688	Dbehoa32.exe	35
PID 2688 wrote to memory of 2880	2688	Dbehoa32.exe	35
PID 2880 wrote to memory of 2340	2880	Dkmmhf32.exe	36
PID 2880 wrote to memory of 2340	2880	Dkmmhf32.exe	36
PID 2880 wrote to memory of 2340	2880	Dkmmhf32.exe	36
PID 2880 wrote to memory of 2340	2880	Dkmmhf32.exe	36
PID 2340 wrote to memory of 1048	2340	Djefobmk.exe	37
PID 2340 wrote to memory of 1048	2340	Djefobmk.exe	37
PID 2340 wrote to memory of 1048	2340	Djefobmk.exe	37
PID 2340 wrote to memory of 1048	2340	Djefobmk.exe	37
PID 1048 wrote to memory of 2620	1048	Epdkli32.exe	38
PID 1048 wrote to memory of 2620	1048	Epdkli32.exe	38
PID 1048 wrote to memory of 2620	1048	Epdkli32.exe	38
PID 1048 wrote to memory of 2620	1048	Epdkli32.exe	38
PID 2620 wrote to memory of 552	2620	Enihne32.exe	39
PID 2620 wrote to memory of 552	2620	Enihne32.exe	39
PID 2620 wrote to memory of 552	2620	Enihne32.exe	39
PID 2620 wrote to memory of 552	2620	Enihne32.exe	39
PID 552 wrote to memory of 1192	552	Eiaiqn32.exe	40
PID 552 wrote to memory of 1192	552	Eiaiqn32.exe	40
PID 552 wrote to memory of 1192	552	Eiaiqn32.exe	40
PID 552 wrote to memory of 1192	552	Eiaiqn32.exe	40
PID 1192 wrote to memory of 2940	1192	Ffkcbgek.exe	41
PID 1192 wrote to memory of 2940	1192	Ffkcbgek.exe	41
PID 1192 wrote to memory of 2940	1192	Ffkcbgek.exe	41
PID 1192 wrote to memory of 2940	1192	Ffkcbgek.exe	41
PID 2940 wrote to memory of 560	2940	Faagpp32.exe	42
PID 2940 wrote to memory of 560	2940	Faagpp32.exe	42
PID 2940 wrote to memory of 560	2940	Faagpp32.exe	42
PID 2940 wrote to memory of 560	2940	Faagpp32.exe	42
PID 560 wrote to memory of 1824	560	Fbgmbg32.exe	43
PID 560 wrote to memory of 1824	560	Fbgmbg32.exe	43
PID 560 wrote to memory of 1824	560	Fbgmbg32.exe	43
PID 560 wrote to memory of 1824	560	Fbgmbg32.exe	43

C:\Users\Admin\AppData\Local\Temp\1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\Bpcbqk32.exe
  C:\Windows\system32\Bpcbqk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\Cgpgce32.exe
    C:\Windows\system32\Cgpgce32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\Cfbhnaho.exe
      C:\Windows\system32\Cfbhnaho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\Ckdjbh32.exe
        
        C:\Windows\system32\Ckdjbh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\SysWOW64\Cndbcc32.exe
        
        C:\Windows\system32\Cndbcc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Dgmglh32.exe
        
        C:\Windows\system32\Dgmglh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Dbehoa32.exe
        
        C:\Windows\system32\Dbehoa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Dkmmhf32.exe
        
        C:\Windows\system32\Dkmmhf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Djefobmk.exe
        
        C:\Windows\system32\Djefobmk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Epdkli32.exe
        
        C:\Windows\system32\Epdkli32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Eiaiqn32.exe
        
        C:\Windows\system32\Eiaiqn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Ffkcbgek.exe
        
        C:\Windows\system32\Ffkcbgek.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Faagpp32.exe
        
        C:\Windows\system32\Faagpp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        33⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 140
        34⤵
        Program crash
        
        PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgpgce32.exe

Filesize
434KB

MD5
aff4de440d5c1158be3f1bdca95e29eb

SHA1
ce8446c54e685212589269de74623b9568e134f3

SHA256
d1e13797de9535ad86ea9e004a884a42b6afd53365cdaa6ffa05220683127d14

SHA512
1983640364134d1465172f09fae929ec6ea4776274dbecde5a80171f8ac3f80e13607e9632d204a789a8fbc9fdfe2afd6b582b4a54cbc56da0815dee60d997b0

Download Submit
C:\Windows\SysWOW64\Dgmglh32.exe

Filesize
434KB

MD5
a0a415293af9fd03057152fd6944452a

SHA1
29b795c1104b53fb51e42cdb7f03c50af9a25c24

SHA256
49c1bc48f612eeb07961a84e8ba7bfe4e6e483109bbf4e729c1d71c53e04366e

SHA512
b99e6b7591be9d2fc5af6a86659642b28d326f9fe575b96bdd09e830a25f84ef586d8683b835893bbcf83744c9648f529ecbdef8fdbb504804be911dbf7e9757

Download Submit
C:\Windows\SysWOW64\Dkmmhf32.exe

Filesize
434KB

MD5
dd006b5fac6acd1f387ba7171eb0decd

SHA1
c63fd012a9027ea522548810dad88a4d77c18ee6

SHA256
fa88a003088a2ab4347b7f6154cf78fb4c496105c3771cf4ae8e5486922eeb53

SHA512
53ff6200dbe90c3bd6443234d7c131b3ff25aaa372246e6806ed201b0bb2d60b81690fa0348edaa4170c8839478baac9c3adcd751e5c15de2ca09cf9dd77e259

Download Submit
C:\Windows\SysWOW64\Eiaiqn32.exe

Filesize
434KB

MD5
dd637e579bf83c28a7f2f853a5eb99e3

SHA1
1613ccc8ece06cda5db788196de64799044c4de9

SHA256
015e76435cc10426104ec0449f26007f2f8a099629f585e701d555f46a356b70

SHA512
238c3c760c76e7d4b30780614f1a706589f308455f4ac32de64b7b32bbfcb81a0d5fef497838922568c212beb997ca25f7d4bdd3c34a3c8d8ce9c15f8bd2843b

Download Submit
C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
434KB

MD5
02934d3210f90ccdcf0efe16d5dd7b3e

SHA1
d0ea819ffd82d1fca38bd84a478cae5872626023

SHA256
23827d8bfcdbb1d6d46e0699dc196db7f2fbd39a67b368ed3b1033945a3a85cb

SHA512
f83fe44ed921b04b4d4e467b9ad8d3b3351923c7b20c61f829d4d0c2ee5e8568234d62f6ef2a6ce3757dc53648dd1f13376200442aa8b46b1cce80396012b49c

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
434KB

MD5
f08ceba98d56a563403b423242491821

SHA1
6b9f598a2464387852882eda00d15c5f6d51e9ee

SHA256
57951592bd07c8948b1248c6071fc719fb59e8e95c3ade9f8a0bd4f489fc8260

SHA512
db0dbd4f4cd8e0476052692108808028e1ac2d2a6d0d9c3531df49c80b419951a072c8988de2e0ea75be0eab9365fb19a4a7c748aa2d0b54948cdc0ebfd80070

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe

Filesize
434KB

MD5
2f6a03c0ac233cc6ad345b794c0aa0e4

SHA1
b6b0d343f33be30d170629ee2fe2ddfafd45a820

SHA256
aed4a75f726c79b78969cf1f851af8129c9e16de907e89096136c81f3711b568

SHA512
7126358562d501c655d556511c0402a57d017f5431c66202db71900cf08703d16b40423d28c7d3f16abd00920ccaf6ca32c5f2e89b9a7b09faf81873817004c7

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
434KB

MD5
9921371abc98439b9e4fdb92efbff152

SHA1
6bea37fb5d6284ccc04ef83adb83470223a1d5ff

SHA256
e6cfb463a7006439f631d9e01110524d3e99e81b4962165f40cacf7275c23010

SHA512
a2c180ffbaee2158b978e2ccc361009ee8913f7815ce525aa3afdceb99d862c8ec7f70d1a8b14e422475dd0f1e75ae148d00ffdc557b97073504b8909ee81f9a

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
434KB

MD5
90cec653844fa9c014d7041582430efb

SHA1
d1dd1c31274bbd08dc4a7dc4fc3950da83856cec

SHA256
534cb53feb4fe9c1d8f98d9ef300a26599c8b5f3c7b7129851ce18a5831958e8

SHA512
788bf015ecefa188fe0c7fbfe33ed1cdee3251ff556c43e10819c6e5c54489d18a11895927b72cc7ddbbbd8329032612cc644ae901fac804d8745e8313b9bc51

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
434KB

MD5
bfb1e17db7650aff0eb4449292a4ad2a

SHA1
8ddd2ae9e4b730afeecb91f26c1768789593ca06

SHA256
b832b345e75bdd6900e504b63d2c2cac4242c8965eba63ab73cb9ab05c87b11b

SHA512
482f2c30fb4560363191c3aa1a55d2ef331fca7863ab1db96ac14c888a2ec449f652543bb57c51a91e6e2ef33fbc27568c01712bdba535e747756217f2969c20

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
434KB

MD5
699c8cd88efecbf3788c56e8298da297

SHA1
cb51e02b3a302f55fad5b95988ae9450916f8c56

SHA256
54c089d35ce85a11e4a9beeb0767c0f4399802183211cca692847a8cd3e85245

SHA512
3d850fbf08541b4592d5183ee1956b004bc5b9d254ebc2875dd88e3f449cd119a7e91a9d2ae79359a028b066ac281330c133ab6b546aa81ac5123d8fb4a38490

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
434KB

MD5
4f83a3e1011329e0c3d51800b6213b94

SHA1
97266cd584d12a24b20d12369760f48bbbdf948a

SHA256
5f612f5ca1b58ebbbecb10a99f8bf209ff1f8efd8808e5714f4d76777f795a6f

SHA512
935833fa1887ed40eb0ef1635929821c35350a5551d0f3de3cbef27597cb8b354d8c030e1e9d00b0f4aa4b5ebd929e469a91e93a53507be07843903314736769

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
434KB

MD5
24c4f55ec54002934567d67631d81f32

SHA1
a1f56cef09d235d57ffc6cbfb37f2e00bbae42f1

SHA256
786163a38581d42023d11439a21564f1d13f38560f6716f3c9da2874bede24cf

SHA512
a7aa2855fe18bab4290f2c2412a7a1d6f3e7f7160e308f1510dc6f358fac7fc1900160baef0d2bac2db0783ecea29b265dbf1d0799d290dbd541e4c51d78a5d2

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
434KB

MD5
14fa9b6655f7748467d8cacea376dd25

SHA1
38a67ad3e5b3f60e2c8bc9ce12fbf5586f1fc58a

SHA256
6e812410e735c5b5d2bf55d02c441913b4fb3dd562afdafc6c83cb518cedfcd6

SHA512
a4fe5329554584652ba8bd8ab58e9ebf94f0bcb5e32cb28ea142153cda41522ae7b38c74b44330f93497eb86453cc85864ad0c467c3f3d1b694ecfbd47be2d48

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
434KB

MD5
15af1d946c8d352ad23a327acaf0b020

SHA1
0bdf1362e92a4685f4a3072e9371f97849944351

SHA256
fc2c96e99cbf80ee2f04ad48ba78dd17c21a0f974d8b68166accfb605226a933

SHA512
463ed15b473b3d899317e357a70a4471606af893d7e429c57ea8d49e7bb4a975a505b4bbc81c3798e28091dff25b37bf4e4a766b355ab72513681e575b270aa4

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
434KB

MD5
9cb8a265e6cabf2107a32b517643384e

SHA1
9b92cce76ef88942ca34d1cc8c9319a53bc741be

SHA256
f2c10705f0049594dedc624a6dd38e99da0998abca90cea2c7600caca78931b1

SHA512
206c7686d45ec6bacedae4e481835ccab7c3303032c2e642d779dddfd228e0bc05be2a0d306487441fcf9c52b24080a3c0f1c912cabc17ce58fd9ea7f4412f03

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
434KB

MD5
8f13f25ad0d7dab0d95866ed712aa837

SHA1
c4e4a7302cc97858c63d5edaeb7921a0c686d1a2

SHA256
b23ede4b2b180a4c1050827ae14dcaa009aa7ffdd8e30c5a53617de890c6d510

SHA512
a311017cad2580146aa0a10af8bd4e3382daa2c28ca7ed90de2eb34ba43474200062872eb0dfbbb9dc35ff95a4a3cbccb90c54f40678a2418ebcc27dbe9504cf

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
434KB

MD5
04dd84ec79657e334c33893b33782b31

SHA1
ce85c56446144c0ef65ce6a539a7da697a2ff8b6

SHA256
800e0069bdf1ef18205ef940bdaa2a4c5776f9e205d64d90a6abd52c6eadd1c8

SHA512
8e37974015411bcf44af7e0d76c8b61019dd0e4380d2a6ff247435c38c1a085ca92e972aa8b384cd95ac3a79c4f7a24a5f5437e2ad11cbc5a22d6371786d685f

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
434KB

MD5
9c23db513cf7e65485b7aa06095ef184

SHA1
43ee52269edab14efdffad17d508c741dcd23e52

SHA256
52f60aa68383bc398bb644c9dc8bf9fa87f36fecd7deea8c07734e49a976d2ee

SHA512
be7a3b8b1e0499579dee520eee9820a538515276908c03c41f778a72e3a0d4244f828adc090067c6d7b44433639aee9dc1ae6ff5ef8bb82b2774725665334d15

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
434KB

MD5
e6fe384358fba27b212236684858ed57

SHA1
3053ac7459f2ddf2b68ef1bc688a5d3ffaa0b844

SHA256
4f133e73133db4dbd2bc24ed93f7f8e2a034a8bb5b4632bb84c9118ac0383c13

SHA512
c5dfe302a6a24710e591b98ecfa0b0dcc18f477e1c589457adbeaaee33311e1608ebd8ede345f9e02ec8114fbadaf850fa693a623edf72390ad1b1f668926ef4

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
434KB

MD5
df7a21e08f6da68571049333dd29e9cc

SHA1
a6ed06c591ce73094c5e14c16665b42ed4dbf053

SHA256
4b97602bd81f7bd5fbda4c84e85bd4d86c64a9393da13bd36eacc14a2bed5066

SHA512
13de039a24da246b845d7544ed0aec498b7c1182b88b77a032f4ec0127f7e87dcdfdb33021e20454944ea94f1f6914aa15455ececa41ffc9bfec12357d000366

Download Submit
\Windows\SysWOW64\Bpcbqk32.exe

Filesize
434KB

MD5
86024237f001d9ce9600c03b6645697a

SHA1
c48c46bf7b7ff37cb9964e236b707274ba2b5e57

SHA256
72fdca866e78537592c9b62cd9dad672ca4ff6a31ab6779977edb8846a6698cb

SHA512
fdcf8cbd869b6d89ca36d1a71b1ae979e3bcd15fcb1265bc47b589d8575db57b263d73e0993806a79f7e762529a7af3da76edfd0a7c811ec48110b33bee2e8bb

Download Submit
\Windows\SysWOW64\Cfbhnaho.exe

Filesize
434KB

MD5
3348c800004d773525f46ec376b254c3

SHA1
d328053933cffcabfafdb2212e733975f86b279b

SHA256
e0fa19f8f9cb88b92c0a15699da964f3106be823715fa1b23fe4ed4083fecc24

SHA512
ace0d2fbbf95863279f4b04c4d931dd6fd5844cb0ac17c9b151fec07ca38567bcf723d65a18e2c70bac9ddbf16ab10bbd150dad5dcc189591804bcb42d2fe492

Download Submit
\Windows\SysWOW64\Ckdjbh32.exe

Filesize
434KB

MD5
52f38b2e3dfadb3b88bd8f409b80e483

SHA1
a5d1a6fed02d9a63c9dc7924c307b03b2136d855

SHA256
46c613bd33fd6e2b525c4af9c8fbb5a608260eecbafe65f09a4c9da425c17697

SHA512
1f49f06d1520e7467ff2985f3006b4eed8eab23ddc6401fb2f6474a3ea6822e99a14bfe9aa641c8b0c371745dd4d32e23eda23fde5481521e6cc42d5d79f9d87

Download Submit
\Windows\SysWOW64\Cndbcc32.exe

Filesize
434KB

MD5
5f6279a2451936a24b6c49f8be6233af

SHA1
ada91fd32cbd5f8d3fdd772c08504daf1ddbbc67

SHA256
c380712e5022a7505f166d89798bb1048d045a1508591f429d50c8ad6521eabf

SHA512
66288776e8c3b2712018936affafdc8cf47650dbdb080f4ab3eb652c24861c86e69f5a09f52f04a5ea3211005bc3aba0585e0d3308b1a723283f969992d1ff26

Download Submit
\Windows\SysWOW64\Dbehoa32.exe

Filesize
434KB

MD5
87ea391a16619af6ad521076e7903180

SHA1
b44fc90840ef41ccf6b92aed1afb16853dd3799b

SHA256
72c880a7dcc97ac44d5b08a5e3fe8c3b058c05045224180c66a7f55772c22b45

SHA512
9880869dbb0d846969264d94c79ba1fa54a08ef86c2d1d81204384d55e5e04881ab682198699d4c73205fd1a6eebcc0ff6df2aabd1ea8ec24d712c04c64a5e33

Download Submit
\Windows\SysWOW64\Djefobmk.exe

Filesize
434KB

MD5
6d7a3261e6a799e173ad111556d52b3d

SHA1
63154287fccb29db626cf605380bbd7f359aa7a6

SHA256
a807cf673d5ada6768a1801b7e2bc0abdb026cd2a57eb5453367627917fd128c

SHA512
1a993b283f6fab925be31fd701a423afa466a3c11202b059f67875d773825d3ac5bd71505de8969f6929ef58404fb787b3acfac16133ebffa76698f176fd85b7

Download Submit
\Windows\SysWOW64\Enihne32.exe

Filesize
434KB

MD5
f46b2bf6d681f918c441d4e0e0fd804d

SHA1
ff12b96a71e20289e8138024ae60f875e2edc895

SHA256
e3ebd199ba146c7477b911b4da371f4cdb283449e7bef905caca60f1bc808dcf

SHA512
28f482d06cfb3ee9ac5c7ed827f31dfc05ccc710abefb225fdce4d98550634531a09ed93742b9039fcf6edd943651200ccc6113a9c32d8a0c13cc567cf734b9f

Download Submit
\Windows\SysWOW64\Epdkli32.exe

Filesize
434KB

MD5
58d5bc45fa866cff3bb4ad96b545bc07

SHA1
78721c663ef59095af2c5f22fd7b073f41183f1c

SHA256
19bfbd00f246e7cb44b1e11d976c78e4bcf29dd30100ac459697bfc4548c1ddd

SHA512
fca80d0037105e00c23878bc9bdddb7dea1ba81aacea7c78437e87e2807b898417eb1747a527f1f1dccb5983af9eae4d558808ba41785a0ab170bf4efb9517cd

Download Submit
\Windows\SysWOW64\Faagpp32.exe

Filesize
434KB

MD5
9980f403b34da039fee6af5535f1c329

SHA1
c5cfa59716a0039f855a3b0a40172f924885e67d

SHA256
11193746f48b57496d93116d54cff4552c0d7cf1f4697dee3299a28ce32d9602

SHA512
5428fbfc5181a429c7a68ab5f58c5534bb5b6df1922439a6271694db14b0316b7b416c6ac13631ef2003a673777fafb1d9418cf977981bd71d9c42d39c5f7327

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
434KB

MD5
879bae89e79fa4a75c86353f44a89469

SHA1
3fe5d5a568bea68ec0a25cab7c449b5c39ef08c0

SHA256
8aeebc62799b1607de34fc1eea762151f69fbf21acddae7e05e5bf20a705c49a

SHA512
d77f34cd20a7ee19551519a951f5a70aebdc4e6ee5956339fe387ef7b3f2109d7f29772486563f799bdb0781bd03e0ccdedb495c5252b3de867cb194eadfc820

Download Submit
\Windows\SysWOW64\Ffkcbgek.exe

Filesize
434KB

MD5
a51d28460bd92f95abf852d87887342a

SHA1
46a15aa4eb0f4341aa5a4317c20a55f6953dc5e1

SHA256
fb4e8e90cff09596e9d1f41c154e6db29e6c4257a18c9604095f27338f1927db

SHA512
f446599d67ec4f3b96ff4187b2435fd708c23470348e2c5a4909b4443c52f0a9a41cc80bb7f0d4823db71f945bf93631b841dde3f518c4bc6db690c34b756c6a

Download Submit
memory/552-169-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/552-181-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/552-182-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/560-228-0x00000000002D0000-0x0000000000368000-memory.dmp

Filesize
608KB

Download
memory/560-227-0x00000000002D0000-0x0000000000368000-memory.dmp

Filesize
608KB

Download
memory/560-219-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/880-318-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/880-324-0x0000000000330000-0x00000000003C8000-memory.dmp

Filesize
608KB

Download
memory/880-328-0x0000000000330000-0x00000000003C8000-memory.dmp

Filesize
608KB

Download
memory/940-295-0x0000000000510000-0x00000000005A8000-memory.dmp

Filesize
608KB

Download
memory/940-294-0x0000000000510000-0x00000000005A8000-memory.dmp

Filesize
608KB

Download
memory/940-285-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1028-317-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/1028-316-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/1028-307-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1048-152-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/1048-151-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/1048-139-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1064-273-0x0000000000700000-0x0000000000798000-memory.dmp

Filesize
608KB

Download
memory/1064-263-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1064-272-0x0000000000700000-0x0000000000798000-memory.dmp

Filesize
608KB

Download
memory/1140-251-0x0000000000300000-0x0000000000398000-memory.dmp

Filesize
608KB

Download
memory/1140-241-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1140-250-0x0000000000300000-0x0000000000398000-memory.dmp

Filesize
608KB

Download
memory/1192-197-0x00000000004A0000-0x0000000000538000-memory.dmp

Filesize
608KB

Download
memory/1192-196-0x00000000004A0000-0x0000000000538000-memory.dmp

Filesize
608KB

Download
memory/1192-187-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1280-474-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1280-13-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1280-26-0x00000000004A0000-0x0000000000538000-memory.dmp

Filesize
608KB

Download
memory/1296-280-0x0000000000300000-0x0000000000398000-memory.dmp

Filesize
608KB

Download
memory/1296-284-0x0000000000300000-0x0000000000398000-memory.dmp

Filesize
608KB

Download
memory/1296-274-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1748-262-0x0000000000260000-0x00000000002F8000-memory.dmp

Filesize
608KB

Download
memory/1748-261-0x0000000000260000-0x00000000002F8000-memory.dmp

Filesize
608KB

Download
memory/1748-252-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1824-239-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/1824-240-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/1824-229-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2104-40-0x0000000000510000-0x00000000005A8000-memory.dmp

Filesize
608KB

Download
memory/2104-39-0x0000000000510000-0x00000000005A8000-memory.dmp

Filesize
608KB

Download
memory/2104-476-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2104-27-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2188-299-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2188-305-0x0000000000260000-0x00000000002F8000-memory.dmp

Filesize
608KB

Download
memory/2188-306-0x0000000000260000-0x00000000002F8000-memory.dmp

Filesize
608KB

Download
memory/2228-472-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2228-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2228-6-0x00000000004A0000-0x0000000000538000-memory.dmp

Filesize
608KB

Download
memory/2232-482-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2232-73-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2340-137-0x0000000001FE0000-0x0000000002078000-memory.dmp

Filesize
608KB

Download
memory/2340-138-0x0000000001FE0000-0x0000000002078000-memory.dmp

Filesize
608KB

Download
memory/2400-406-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2424-329-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2424-338-0x00000000002D0000-0x0000000000368000-memory.dmp

Filesize
608KB

Download
memory/2424-339-0x00000000002D0000-0x0000000000368000-memory.dmp

Filesize
608KB

Download
memory/2584-90-0x0000000000320000-0x00000000003B8000-memory.dmp

Filesize
608KB

Download
memory/2584-82-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2584-484-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2620-154-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2620-167-0x0000000002060000-0x00000000020F8000-memory.dmp

Filesize
608KB

Download
memory/2620-168-0x0000000002060000-0x00000000020F8000-memory.dmp

Filesize
608KB

Download
memory/2624-373-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2624-383-0x0000000000310000-0x00000000003A8000-memory.dmp

Filesize
608KB

Download
memory/2624-382-0x0000000000310000-0x00000000003A8000-memory.dmp

Filesize
608KB

Download
memory/2688-109-0x00000000004A0000-0x0000000000538000-memory.dmp

Filesize
608KB

Download
memory/2688-100-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2688-486-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2704-355-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2704-361-0x00000000004A0000-0x0000000000538000-memory.dmp

Filesize
608KB

Download
memory/2704-360-0x00000000004A0000-0x0000000000538000-memory.dmp

Filesize
608KB

Download
memory/2712-55-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2712-67-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/2712-480-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2780-362-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2780-371-0x0000000000350000-0x00000000003E8000-memory.dmp

Filesize
608KB

Download
memory/2780-372-0x0000000000350000-0x00000000003E8000-memory.dmp

Filesize
608KB

Download
memory/2880-123-0x0000000000350000-0x00000000003E8000-memory.dmp

Filesize
608KB

Download
memory/2880-488-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2880-118-0x0000000000350000-0x00000000003E8000-memory.dmp

Filesize
608KB

Download
memory/2880-110-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2884-387-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2884-390-0x0000000001FE0000-0x0000000002078000-memory.dmp

Filesize
608KB

Download
memory/2884-394-0x0000000001FE0000-0x0000000002078000-memory.dmp

Filesize
608KB

Download
memory/2900-353-0x0000000000510000-0x00000000005A8000-memory.dmp

Filesize
608KB

Download
memory/2900-340-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2900-346-0x0000000000510000-0x00000000005A8000-memory.dmp

Filesize
608KB

Download
memory/2924-478-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2924-42-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2940-199-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2940-211-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/2940-212-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/3020-405-0x0000000000350000-0x00000000003E8000-memory.dmp

Filesize
608KB

Download
memory/3020-395-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3020-404-0x0000000000350000-0x00000000003E8000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads