e2b9567196a0c14ec93355d1ce88524ac6ad673a1d2c6d38fae69e59bd0431f2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 23:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
Size

121KB
MD5

35912acbc8754e48797821d5a7a01f80
SHA1

18d4e23175f757476e07ac8a43302f457f5141c5
SHA256

e2b9567196a0c14ec93355d1ce88524ac6ad673a1d2c6d38fae69e59bd0431f2
SHA512

c56823e51013420ac0dd53aff8cc6b2592c3f18c2e73cfd9901d34ad120e3db0cb5be363bb07f661812f24204b598c1988032c1d869f798e2e3cf11271ba72ae
SSDEEP

1536:ML1AZdM3wR9kUGuj3H/mr/5D9Qyl71EqkVf1Ex9CV19zQYOd5ijJnD5ir3oGuiWP:MLi/k+H/mrLiqo1ExsO7AJnD5tvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Comimg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bommnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkhcmgnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddagfm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bommnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbmjplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enkece32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbjopoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnefdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eflgccbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epieghdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bokphdld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnefdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Comimg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflgccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkdmcdoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbjopoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epieghdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdfflm32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/memory/2428-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000c00000001227b-5.dat	family_berbew
behavioral1/memory/2428-6-0x0000000000310000-0x0000000000357000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015cc7-18.dat	family_berbew
behavioral1/memory/2448-26-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015cf0-32.dat	family_berbew
behavioral1/memory/2448-38-0x0000000000450000-0x0000000000497000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015d0c-46.dat	family_berbew
behavioral1/memory/2788-53-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2712-45-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x00080000000165a8-61.dat	family_berbew
behavioral1/memory/2788-63-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016c56-73.dat	family_berbew
behavioral1/memory/1980-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016c7a-86.dat	family_berbew
behavioral1/memory/1980-87-0x0000000000450000-0x0000000000497000-memory.dmp	family_berbew
behavioral1/memory/1976-94-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016ce7-100.dat	family_berbew
behavioral1/memory/2824-107-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d2c-113.dat	family_berbew
behavioral1/memory/2824-119-0x00000000002A0000-0x00000000002E7000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d3d-126.dat	family_berbew
behavioral1/memory/1180-133-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d4e-139.dat	family_berbew
behavioral1/memory/236-146-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d65-152.dat	family_berbew
behavioral1/memory/2828-159-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0038000000015c93-165.dat	family_berbew
behavioral1/memory/1492-172-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016dda-178.dat	family_berbew
behavioral1/memory/1492-179-0x00000000002F0000-0x0000000000337000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016de7-191.dat	family_berbew
behavioral1/memory/1952-193-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017042-206.dat	family_berbew
behavioral1/memory/1616-212-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1676-210-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1616-222-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017486-221.dat	family_berbew
behavioral1/memory/1792-226-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000018663-229.dat	family_berbew
behavioral1/memory/440-234-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/440-240-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x001100000001867a-243.dat	family_berbew
behavioral1/files/0x00050000000186e6-251.dat	family_berbew
behavioral1/memory/980-250-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1336-256-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x00050000000186ff-263.dat	family_berbew
behavioral1/memory/1820-271-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2044-277-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000500000001873f-273.dat	family_berbew
behavioral1/files/0x000500000001878d-283.dat	family_berbew
behavioral1/files/0x0005000000019228-294.dat	family_berbew
behavioral1/memory/2124-288-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/976-299-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/976-305-0x0000000000330000-0x0000000000377000-memory.dmp	family_berbew
behavioral1/files/0x000500000001925d-306.dat	family_berbew
behavioral1/memory/2444-318-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0005000000019275-314.dat	family_berbew
behavioral1/memory/2944-321-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0005000000019381-327.dat	family_berbew
behavioral1/memory/492-335-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1572-332-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x00050000000193a5-342.dat	family_berbew
behavioral1/memory/2340-346-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 63 IoCs

pid	Process
344	Bokphdld.exe
2448	Bommnc32.exe
2712	Bkdmcdoe.exe
2788	Bnbjopoi.exe
2548	Bnefdp32.exe
1980	Cjlgiqbk.exe
1976	Ccdlbf32.exe
2824	Cnippoha.exe
2300	Cfeddafl.exe
1180	Comimg32.exe
236	Cjbmjplb.exe
2828	Ckdjbh32.exe
1492	Cdlnkmha.exe
1952	Chhjkl32.exe
1676	Dkhcmgnl.exe
1616	Ddagfm32.exe
1792	Dbehoa32.exe
440	Ddcdkl32.exe
980	Dkmmhf32.exe
1336	Ddeaalpg.exe
1820	Doobajme.exe
2044	Dgfjbgmh.exe
2124	Ecmkghcl.exe
976	Eflgccbp.exe
2444	Ebbgid32.exe
2944	Ekklaj32.exe
492	Enkece32.exe
2340	Eajaoq32.exe
2728	Ebinic32.exe
1804	Faokjpfd.exe
2896	Fhhcgj32.exe
2568	Ffkcbgek.exe
2564	Ffnphf32.exe
3036	Fjlhneio.exe
2096	Flmefm32.exe
1924	Fmlapp32.exe
2316	Gonnhhln.exe
2868	Gfefiemq.exe
2084	Gangic32.exe
2916	Gkgkbipp.exe
1256	Ghkllmoi.exe
1068	Gkihhhnm.exe
592	Geolea32.exe
2336	Gdamqndn.exe
2908	Gogangdc.exe
352	Hgbebiao.exe
296	Hmlnoc32.exe
3068	Hdfflm32.exe
1144	Hkpnhgge.exe
2948	Hnojdcfi.exe
556	Hdhbam32.exe
1796	Hggomh32.exe
2668	Hnagjbdf.exe
2664	Hlcgeo32.exe
2676	Hgilchkf.exe
2632	Hjhhocjj.exe
2636	Hhjhkq32.exe
3032	Hacmcfge.exe
2760	Hhmepp32.exe
1224	Hkkalk32.exe
2840	Idceea32.exe
1248	Ilknfn32.exe
532	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2428	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
2428	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
344	Bokphdld.exe
344	Bokphdld.exe
2448	Bommnc32.exe
2448	Bommnc32.exe
2712	Bkdmcdoe.exe
2712	Bkdmcdoe.exe
2788	Bnbjopoi.exe
2788	Bnbjopoi.exe
2548	Bnefdp32.exe
2548	Bnefdp32.exe
1980	Cjlgiqbk.exe
1980	Cjlgiqbk.exe
1976	Ccdlbf32.exe
1976	Ccdlbf32.exe
2824	Cnippoha.exe
2824	Cnippoha.exe
2300	Cfeddafl.exe
2300	Cfeddafl.exe
1180	Comimg32.exe
1180	Comimg32.exe
236	Cjbmjplb.exe
236	Cjbmjplb.exe
2828	Ckdjbh32.exe
2828	Ckdjbh32.exe
1492	Cdlnkmha.exe
1492	Cdlnkmha.exe
1952	Chhjkl32.exe
1952	Chhjkl32.exe
1676	Dkhcmgnl.exe
1676	Dkhcmgnl.exe
1616	Ddagfm32.exe
1616	Ddagfm32.exe
1792	Dbehoa32.exe
1792	Dbehoa32.exe
440	Ddcdkl32.exe
440	Ddcdkl32.exe
980	Dkmmhf32.exe
980	Dkmmhf32.exe
1336	Ddeaalpg.exe
1336	Ddeaalpg.exe
1820	Doobajme.exe
1820	Doobajme.exe
2044	Dgfjbgmh.exe
2044	Dgfjbgmh.exe
2124	Ecmkghcl.exe
2124	Ecmkghcl.exe
976	Eflgccbp.exe
976	Eflgccbp.exe
2444	Ebbgid32.exe
2444	Ebbgid32.exe
1572	Epieghdk.exe
1572	Epieghdk.exe
492	Enkece32.exe
492	Enkece32.exe
2340	Eajaoq32.exe
2340	Eajaoq32.exe
2728	Ebinic32.exe
2728	Ebinic32.exe
1804	Faokjpfd.exe
1804	Faokjpfd.exe
2896	Fhhcgj32.exe
2896	Fhhcgj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Eajaoq32.exe	Enkece32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Ecmkghcl.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Dbehoa32.exe	Ddagfm32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hfmpcjge.dll	Bnbjopoi.exe
File created	C:\Windows\SysWOW64\Ffakeiib.dll	Bnefdp32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Bnefdp32.exe	Bnbjopoi.exe
File created	C:\Windows\SysWOW64\Cdlnkmha.exe	Ckdjbh32.exe
File created	C:\Windows\SysWOW64\Dkhcmgnl.exe	Chhjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Eflgccbp.exe	Ecmkghcl.exe
File created	C:\Windows\SysWOW64\Keledb32.dll	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnefdp32.exe	Bnbjopoi.exe
File created	C:\Windows\SysWOW64\Dkmmhf32.exe	Ddcdkl32.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Dmljjm32.dll	Cnippoha.exe
File opened for modification	C:\Windows\SysWOW64\Comimg32.exe	Cfeddafl.exe
File created	C:\Windows\SysWOW64\Ljpghahi.dll	Chhjkl32.exe
File created	C:\Windows\SysWOW64\Mkaggelk.dll	Doobajme.exe
File created	C:\Windows\SysWOW64\Ebbgid32.exe	Eflgccbp.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Lilchoah.dll	Bokphdld.exe
File created	C:\Windows\SysWOW64\Mocaac32.dll	Bkdmcdoe.exe
File created	C:\Windows\SysWOW64\Nlbodgap.dll	Ckdjbh32.exe
File created	C:\Windows\SysWOW64\Ebinic32.exe	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Bokphdld.exe	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Cdlnkmha.exe	Ckdjbh32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Chhjkl32.exe	Cdlnkmha.exe
File opened for modification	C:\Windows\SysWOW64\Dgfjbgmh.exe	Doobajme.exe
File created	C:\Windows\SysWOW64\Pinfim32.dll	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Kdanej32.dll	Fhhcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Ddeaalpg.exe	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Enkece32.exe	Epieghdk.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Bkdmcdoe.exe	Bommnc32.exe
File created	C:\Windows\SysWOW64\Cjlgiqbk.exe	Bnefdp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfeddafl.exe	Cnippoha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	532	WerFault.exe	91

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bokphdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll"	Cjlgiqbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll"	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkdmcdoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkhcmgnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkdmcdoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnefdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbmjplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll"	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll"	Dkhcmgnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddagfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddeaalpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqpjbf32.dll"	Ccdlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddcdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll"	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keledb32.dll"	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjlgiqbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll"	Ebbgid32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 344	2428	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe	28
PID 2428 wrote to memory of 344	2428	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe	28
PID 2428 wrote to memory of 344	2428	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe	28
PID 2428 wrote to memory of 344	2428	35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe	28
PID 344 wrote to memory of 2448	344	Bokphdld.exe	29
PID 344 wrote to memory of 2448	344	Bokphdld.exe	29
PID 344 wrote to memory of 2448	344	Bokphdld.exe	29
PID 344 wrote to memory of 2448	344	Bokphdld.exe	29
PID 2448 wrote to memory of 2712	2448	Bommnc32.exe	30
PID 2448 wrote to memory of 2712	2448	Bommnc32.exe	30
PID 2448 wrote to memory of 2712	2448	Bommnc32.exe	30
PID 2448 wrote to memory of 2712	2448	Bommnc32.exe	30
PID 2712 wrote to memory of 2788	2712	Bkdmcdoe.exe	31
PID 2712 wrote to memory of 2788	2712	Bkdmcdoe.exe	31
PID 2712 wrote to memory of 2788	2712	Bkdmcdoe.exe	31
PID 2712 wrote to memory of 2788	2712	Bkdmcdoe.exe	31
PID 2788 wrote to memory of 2548	2788	Bnbjopoi.exe	32
PID 2788 wrote to memory of 2548	2788	Bnbjopoi.exe	32
PID 2788 wrote to memory of 2548	2788	Bnbjopoi.exe	32
PID 2788 wrote to memory of 2548	2788	Bnbjopoi.exe	32
PID 2548 wrote to memory of 1980	2548	Bnefdp32.exe	33
PID 2548 wrote to memory of 1980	2548	Bnefdp32.exe	33
PID 2548 wrote to memory of 1980	2548	Bnefdp32.exe	33
PID 2548 wrote to memory of 1980	2548	Bnefdp32.exe	33
PID 1980 wrote to memory of 1976	1980	Cjlgiqbk.exe	34
PID 1980 wrote to memory of 1976	1980	Cjlgiqbk.exe	34
PID 1980 wrote to memory of 1976	1980	Cjlgiqbk.exe	34
PID 1980 wrote to memory of 1976	1980	Cjlgiqbk.exe	34
PID 1976 wrote to memory of 2824	1976	Ccdlbf32.exe	35
PID 1976 wrote to memory of 2824	1976	Ccdlbf32.exe	35
PID 1976 wrote to memory of 2824	1976	Ccdlbf32.exe	35
PID 1976 wrote to memory of 2824	1976	Ccdlbf32.exe	35
PID 2824 wrote to memory of 2300	2824	Cnippoha.exe	36
PID 2824 wrote to memory of 2300	2824	Cnippoha.exe	36
PID 2824 wrote to memory of 2300	2824	Cnippoha.exe	36
PID 2824 wrote to memory of 2300	2824	Cnippoha.exe	36
PID 2300 wrote to memory of 1180	2300	Cfeddafl.exe	37
PID 2300 wrote to memory of 1180	2300	Cfeddafl.exe	37
PID 2300 wrote to memory of 1180	2300	Cfeddafl.exe	37
PID 2300 wrote to memory of 1180	2300	Cfeddafl.exe	37
PID 1180 wrote to memory of 236	1180	Comimg32.exe	38
PID 1180 wrote to memory of 236	1180	Comimg32.exe	38
PID 1180 wrote to memory of 236	1180	Comimg32.exe	38
PID 1180 wrote to memory of 236	1180	Comimg32.exe	38
PID 236 wrote to memory of 2828	236	Cjbmjplb.exe	39
PID 236 wrote to memory of 2828	236	Cjbmjplb.exe	39
PID 236 wrote to memory of 2828	236	Cjbmjplb.exe	39
PID 236 wrote to memory of 2828	236	Cjbmjplb.exe	39
PID 2828 wrote to memory of 1492	2828	Ckdjbh32.exe	40
PID 2828 wrote to memory of 1492	2828	Ckdjbh32.exe	40
PID 2828 wrote to memory of 1492	2828	Ckdjbh32.exe	40
PID 2828 wrote to memory of 1492	2828	Ckdjbh32.exe	40
PID 1492 wrote to memory of 1952	1492	Cdlnkmha.exe	41
PID 1492 wrote to memory of 1952	1492	Cdlnkmha.exe	41
PID 1492 wrote to memory of 1952	1492	Cdlnkmha.exe	41
PID 1492 wrote to memory of 1952	1492	Cdlnkmha.exe	41
PID 1952 wrote to memory of 1676	1952	Chhjkl32.exe	42
PID 1952 wrote to memory of 1676	1952	Chhjkl32.exe	42
PID 1952 wrote to memory of 1676	1952	Chhjkl32.exe	42
PID 1952 wrote to memory of 1676	1952	Chhjkl32.exe	42
PID 1676 wrote to memory of 1616	1676	Dkhcmgnl.exe	43
PID 1676 wrote to memory of 1616	1676	Dkhcmgnl.exe	43
PID 1676 wrote to memory of 1616	1676	Dkhcmgnl.exe	43
PID 1676 wrote to memory of 1616	1676	Dkhcmgnl.exe	43

C:\Users\Admin\AppData\Local\Temp\35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35912acbc8754e48797821d5a7a01f80_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\Bokphdld.exe
  C:\Windows\system32\Bokphdld.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\Bommnc32.exe
    C:\Windows\system32\Bommnc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\Bkdmcdoe.exe
      C:\Windows\system32\Bkdmcdoe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Bnbjopoi.exe
        
        C:\Windows\system32\Bnbjopoi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Bnefdp32.exe
        
        C:\Windows\system32\Bnefdp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Cjlgiqbk.exe
        
        C:\Windows\system32\Cjlgiqbk.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ccdlbf32.exe
        
        C:\Windows\system32\Ccdlbf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Cnippoha.exe
        
        C:\Windows\system32\Cnippoha.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Cfeddafl.exe
        
        C:\Windows\system32\Cfeddafl.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Comimg32.exe
        
        C:\Windows\system32\Comimg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Cjbmjplb.exe
        
        C:\Windows\system32\Cjbmjplb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\Ckdjbh32.exe
        
        C:\Windows\system32\Ckdjbh32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Cdlnkmha.exe
        
        C:\Windows\system32\Cdlnkmha.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Chhjkl32.exe
        
        C:\Windows\system32\Chhjkl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Dkhcmgnl.exe
        
        C:\Windows\system32\Dkhcmgnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Ddagfm32.exe
        
        C:\Windows\system32\Ddagfm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Dbehoa32.exe
        
        C:\Windows\system32\Dbehoa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Ddcdkl32.exe
        
        C:\Windows\system32\Ddcdkl32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Dkmmhf32.exe
        
        C:\Windows\system32\Dkmmhf32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Ddeaalpg.exe
        
        C:\Windows\system32\Ddeaalpg.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Doobajme.exe
        
        C:\Windows\system32\Doobajme.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Dgfjbgmh.exe
        
        C:\Windows\system32\Dgfjbgmh.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ecmkghcl.exe
        
        C:\Windows\system32\Ecmkghcl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Eflgccbp.exe
        
        C:\Windows\system32\Eflgccbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Ebbgid32.exe
        
        C:\Windows\system32\Ebbgid32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Ekklaj32.exe
        
        C:\Windows\system32\Ekklaj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Epieghdk.exe
        
        C:\Windows\system32\Epieghdk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Enkece32.exe
        
        C:\Windows\system32\Enkece32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Eajaoq32.exe
        
        C:\Windows\system32\Eajaoq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ebinic32.exe
        
        C:\Windows\system32\Ebinic32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2728
        
        C:\Windows\SysWOW64\Faokjpfd.exe
        
        C:\Windows\system32\Faokjpfd.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Fhhcgj32.exe
        
        C:\Windows\system32\Fhhcgj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ffkcbgek.exe
        
        C:\Windows\system32\Ffkcbgek.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        65⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 140
        66⤵
        Program crash
        
        PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dbehoa32.exe

Filesize
121KB

MD5
4edf7e2775369eb36d5ae91d176efcfb

SHA1
6ac93f7b875ab6a2f74a6131704fda4cb2ce3ef9

SHA256
7ee92ca69afa04d1523c10fa284834060dd996c5542b81e085438f7ed05b2566

SHA512
03ab343b4482be55fa11d29b433396862d4b1294f79d647f11d99415df87906265b904056f0f8b5d658f7c41a130880f9d8e60e921e016f4b53191efe9213362

Download Submit
C:\Windows\SysWOW64\Ddcdkl32.exe

Filesize
121KB

MD5
2bfc3d963127ea0c675d93bed73a5511

SHA1
f51636167470f07eadcdc17495683de185edcf4e

SHA256
7f69083e05631bd7fca5ce06de761f75f9f078b36dfc1ff19d87a2e32268282d

SHA512
7ead0a5ef499d5180fab56bcf9f67614ca7ba9766a071beb7182075ced88e06d2d0623380e36bd93e34d7bc678140026631b3cb7de04bdd5fb6dd9bfc91a5907

Download Submit
C:\Windows\SysWOW64\Ddeaalpg.exe

Filesize
121KB

MD5
d873d17d3c63f3ade1caf51eaf56f690

SHA1
284ffc538a607d601640c3a770d3bc095326f1c1

SHA256
96d3b8997f836ce6afda350a647782da5262c2b695560408b5a93b3a03cd6d04

SHA512
be9a0ffa6708647ecf212f2bbad1e1b7e64039a40a04969c4282185c7d66babc9b2488e675b6027279b78756eda75d5d3df4ef07c7b9b21b09ef734533f05dcf

Download Submit
C:\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
121KB

MD5
1644a366883f5499234a45158883c98c

SHA1
18a62c641267f348e8f5d56c2bd96d4b4cea15cc

SHA256
e4f7f503aaaaf88e5adb9841645e73ca6e015b06e741e42a9e9f5504d67e7e8e

SHA512
2f367dc454d3f2fdd5b1c8fe147778db9a056425ee0616a7a55083cee33a51041dd1db19053f8406881890bf9048986990d6e3ea6b93f691b4a48af21091006d

Download Submit
C:\Windows\SysWOW64\Dkmmhf32.exe

Filesize
121KB

MD5
5b7027c6ea21bfca9c21ad51441a6f3e

SHA1
e65ba8232d00e663b75e47c4038e3ee76360d1dd

SHA256
474ea4dca2af25cd50fa1cdfaeaa686c69723d9d3c29bbcf64d65f9094c30c30

SHA512
f9fa15c458ba215ba95cfae96d32603aba5080fa16c232d45a95cd99a1355b76c3e1b69fd8d07eb210213efac9a2ff890b8ef0d2e5f77b2ff865e3eb4636e919

Download Submit
C:\Windows\SysWOW64\Doobajme.exe

Filesize
121KB

MD5
f302428b46729cfcbfac1833242d46c6

SHA1
7de151fc495734d80624a9cad321d276c97773d4

SHA256
04f339f7d43e634ff7598d067cae8b30584e0df727ea1d50a60747e614f6975a

SHA512
397fdae40547f947ef2839ee3ff974b0990df08e59f4e0316b31ba61bef817ab28ef29a201c834bc16bff0807e29420a0c78d666c5aef48e30794dfbc3ee4bfc

Download Submit
C:\Windows\SysWOW64\Eajaoq32.exe

Filesize
121KB

MD5
31c00958c98dff463c025b1816d86362

SHA1
a45a4f98b0c7cdeb0c6fb4eb520e1bf66cd76673

SHA256
116b851f519316e700d573c8ac71ada8542e1ab47302ead9fdadad226a996814

SHA512
013fc9cb5b52e6752973a5a7bf9cbc5b8498ac7bc806f579ab263f1967da87afdc72c3790efb85a8c6910619587d24c4379dec77b39d5269370bbf1679747792

Download Submit
C:\Windows\SysWOW64\Ebbgid32.exe

Filesize
121KB

MD5
77f98e6f300c92a4a2169df28c4d2924

SHA1
badb79d5b632bd7d68d87569ee08362c899d537d

SHA256
09090e32cc0be607ca02ccf07de515b1eac8d6e55d5bded389072cedf739d2de

SHA512
44c5d8ec6f3239b7ab2fc2d3207b23546d22139d08e5f9bbad731f7321947a6432a5ca3a8f64df87fc7b8649e05a41242d57f76f2a2c70daf45483c6db89f92a

Download Submit
C:\Windows\SysWOW64\Ebinic32.exe

Filesize
121KB

MD5
8fe181cd08553715d0121a8cd7366f8c

SHA1
ba0c4ba8dc2f13f52b7dc10c64b65084eb838720

SHA256
da44eee32228fb7de9ebf4647a63d84226820c235411014c75fcebfd72f68fce

SHA512
df35a50964d4bcecc08c2f43edf8405fb31d743ebb4dd2c01043a5515ca46de918c5fde548a735630cb5c95470fd1d4db17ca9791267b6cd8501381a9b808112

Download Submit
C:\Windows\SysWOW64\Ecmkghcl.exe

Filesize
121KB

MD5
437a0d5fc8151971c8779334f28924e4

SHA1
c4fb7ab6157c302d9efa1847ad868a80da3c0760

SHA256
1a6a50000308a4e08d33bbd94c9f02303add90afeea78a3c83e46cfce040a6cd

SHA512
a1022c00fd87cfad1523e11a68e4038648876fc70346069d405a285a40da459a3d48f01e05a816a2f7812ad09be13abedb4189272733332e86835151ae92ed73

Download Submit
C:\Windows\SysWOW64\Eflgccbp.exe

Filesize
121KB

MD5
1762835ee4b8439df6443688bcc5e661

SHA1
2c0f053b596e64a29c749d5fc45d17ff9f08f3b5

SHA256
8593f78e762b9b6b2a995d493620b3e50524fa3c14deb3dc1e0f72ad7f6b9c6e

SHA512
66f2f1f19c7b8b916d6981a6edf7de4aaff7641c1ae92cd2c58df69fb2b5b911583bcf851bb24f1a89cd1020c237877bcc1928bf40aefd230a8bb70e49d0ceb5

Download Submit
C:\Windows\SysWOW64\Ekklaj32.exe

Filesize
121KB

MD5
1827616d11b5e27ee657562e32024ab2

SHA1
9742ef5546893315e42767a483238883644662ee

SHA256
2e3d6106b287de838cebfbb8e87646438ca36f9b983ef866e4c4d5e1dc200f98

SHA512
27c5a85dcf3bfbcc7282ace59edfb8e0c0f8aaa7077a1dfd2080e9d24bd2aad1cbe1e696f08dae7fcec7a81f96890fc02e32a9457f744e20a5d2f433464e3f52

Download Submit
C:\Windows\SysWOW64\Enkece32.exe

Filesize
121KB

MD5
966a34727bf827e370828d9af274d262

SHA1
efe1d5a77b52e4c31e6a2961ec13cf5943c63a91

SHA256
a6fe833eff039f8910d0d554ff331276d67faa6bcf1662eff5ad6eeabde05c3b

SHA512
28434d335c87d42c71f48bb2edff9e7be0e5353439854e79e8bcb071d0431f93c3f55c2099b636bd9fd4facd898f24869e563447d404e290664bbe1e546220c0

Download Submit
C:\Windows\SysWOW64\Faokjpfd.exe

Filesize
121KB

MD5
bc2d705406a4b372ac1f28e06ded78dd

SHA1
abc60397fc4bca8888523535738fe7e2bfa2e2ea

SHA256
27f965f3b3879f478a63f4fc34e46fda44de661ad2230426f6ad4b0daad4cce7

SHA512
242ce75086832de2a0cf323f616d00bc6c5596f57ae82a1c404d1fa4d07ab3d02806a49e76f366bc6f1dd1572a0a8926c0a6768b0654e79754c5254a85c5a538

Download Submit
C:\Windows\SysWOW64\Ffkcbgek.exe

Filesize
121KB

MD5
bc2a18e0dbca278fca490fe68d1ec8c4

SHA1
5207d8799fd990b383db794af8ef7a1b603134c9

SHA256
06697c11668a94ac23bce2505bcfcc687d872a2137b1b21fc80ebd5acd1994b2

SHA512
2685a3271ca7efa249ee715b0533f9deabe5ed649a7bea8033e8f2af9ea023bc479831d5dcc2070000be8208bb0e10ef7b6f3e96eb39cfc2c310c5b8c988c099

Download Submit
C:\Windows\SysWOW64\Ffnphf32.exe

Filesize
121KB

MD5
9363ed5f3013ed6b92a6a927318df614

SHA1
f5d0b518226ab31c1b4b427a6d963ce5ec21a5d0

SHA256
bfc08918ddfaf80f7d3cbf4bebda90dd7ca83d0997294b6493a3797c3e743917

SHA512
a5f835735896591891d5461cf88148b01929fcbb78505fd6da95577da1f65f184b3a610dd3a7c05b2831cc3e8837951e30ecd4d3599fc8203b8c94965f103723

Download Submit
C:\Windows\SysWOW64\Fhhcgj32.exe

Filesize
121KB

MD5
b1c610084c9f051edd46a053adb193fa

SHA1
26f855409133440a869b90ac51021b418b9bc752

SHA256
6edcf14eeb1f2f7cb363e70db6b9ff805eeabe0a4976e4dbb35707900265a8bd

SHA512
c390a3b2473297fc887b5bbb961944beb4dcb364df3cacfd43f4cd3a6e2960fb8173854ffbb9a7e2d6431412eb9b779fa2e136033f03d4a524b4b91c585377f7

Download Submit
C:\Windows\SysWOW64\Fjlhneio.exe

Filesize
121KB

MD5
11a05ba877ae8dc0ed1a771e8f648119

SHA1
c3d65f30ced7d3ade36d5f4dcd7be0f5e0af0561

SHA256
d599eb40f51e12c6231170b9ba9e37d14fb3bf7aa8d626cd4f9fb541d438eff5

SHA512
63b6e3adcc01d64d85f5d82a2a21dc64e69189ca5cc5ac6da90be1458aff643db8a74e6a724594cb4ac7c07dc45ec493bbf7c7fbce8f7f2318f907aadefe6c5d

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
121KB

MD5
b1fb9d1eda8def797c4dab3dfe099329

SHA1
1ebc14c86ea056ae15dd610724e627ab9ccb4099

SHA256
5769eec6545667b97115976e636b4eacbd73e036433aa06246048f39b1020e46

SHA512
a78dc688a4ee27c8e9993948f86f2802a925f738270557d9597ab3659614c212a8a39a83554f21fcd38430ad3a6cc3ff09bcc45a18620ff0bfbe49aa70417ad6

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
121KB

MD5
346d64bb6d6c057288574623ee044ba9

SHA1
67db980f882ce88d5408e59a2874c4a2cf445cb4

SHA256
95e86fa17ccc29e71ba80b3748260ced6be00b8a3aa5632060d780cf7975fa65

SHA512
933da976c505ffb84e64b67c19e6dddf64298788e092cdbaa88ca8dcbc4486422c788afa6e6a0871a9284bdd87a5899eb6b897444def9cb9744d2654fd196ef2

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
121KB

MD5
7292e60322b541c9acd734440488a076

SHA1
f8426584b6cf54c8879d8440e3c1368b039d97ab

SHA256
416a90acdd02515dd29cac395e7f9a1e8e8aff308cc8e4dc1062e1e5ff9af78d

SHA512
89775f99d30cd888d134eaa86f7daf2a88e7c0602cccc0ae7cf142a7521306d0f0325447762526cc8364911c5254877aab5f04693cbdf053f72ee3ba7b5978dd

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
121KB

MD5
ec8f51d31eaef065bc54404e1efb9073

SHA1
80849ddd441a9835b28af6226d1995b15e8b2379

SHA256
922143de66341b0bde40c5c87991fa25cc8cb6945b53f1c4c785db96f918ce88

SHA512
c3772c775fe76372e2f04e46a329748f212ac5b262101355bd14e171d2afa90282bd1465e4e4866e260d6078fc7279c0f35fc82fc766337608fab788feea4a02

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
121KB

MD5
f7978978f6ef5b98596e16244a223e0e

SHA1
99067ac6c14fd548969c79e4f96d0ead8ff6d6cb

SHA256
5400d7abb61a03337cb832ec2cb20cb1e49b9acf3dc1aa5317f6d0f2dd6ee686

SHA512
27fdc299f933d7bfde80b839ba88a029710105c975af3680df82576719b721e093fa937388d0fb0a521711204af0e57cec4e453ff968d5afdf77570ec2875a3f

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
121KB

MD5
e8c74da346a6b5379ddf02774c599291

SHA1
fc6e5f98d8d228907117ce97d5eba670a9d596b1

SHA256
4d62f12dd5c49f2bfce813d320d12c6dbf9e09c06a4208d19402a04dc0ee5869

SHA512
7547bcb2bebbf128a06acde2878f8c15718957680db988be32fc157a6dcce45ebdad82c7e6467ea39c9bd566711bf7d2437055bd445f3d54114fe9c0ef2d61ee

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
121KB

MD5
ab89bfb11bc19d4f398c96ceff7ea13a

SHA1
0668ffc9a91bd6a5b53e1b9364792c6e6dc4b87d

SHA256
705b9fb4c54c42845f1cfc124dc0a988de14c2a67411baf103dbb293a2df1daf

SHA512
e7ddfc928ae7f4846c5f9b19f42ace37ee06c254ee8c024c1f4d6c3d4cda970f842a4258c8d59f5cb04368cd375a5e35de6bca276f084ae6f586ba109bf247eb

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe

Filesize
121KB

MD5
55230c3da262f8f710881982dd6084a3

SHA1
81bd3095cdd1df1cde8f8550d3048431f2ad73a5

SHA256
863402ebd98c6f2d4c054662de284367cd02b4ce51b97728bcd32f9cc6478f5b

SHA512
00b1b1b6c9f9eaf85caf5511857c9a77458c9c70658db988b21eff5182b923781c6f0dbca7633979cfeb7a05c2724f9f762dd4d4dbb2e204d7cea6ca7b29a9c8

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
121KB

MD5
647949370be00833a0d31d7cc3447589

SHA1
8e409730a76c5ba1f81c15be032fd42c17a871cb

SHA256
23a6204b4ca893078abb5668c9ebfbf6130d773f2d0d33b506f39686fa53772c

SHA512
c20bf699fdd4ba527243b721bde767ad37b959a453a6a88d6a8e432c4bebeb6d77532ee01971f99b244b6eeadb047f531b0e75e881710f4680f493cc60c9062d

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
121KB

MD5
b3285a8848022b6a1daf9f301f78d515

SHA1
334f17e3a05c16898e136113617437cde6cd403c

SHA256
26a557751a64bc5798075c6a9c90d8844908716a3bd2df83596ba82e362ef444

SHA512
62c0ac09577453c33d8429c455d1bc8274751b9787e6f7bf1db33374f318c8c079debfa85e74032522155c07f918668c03700f7944b10f2a48268889f7feb201

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
121KB

MD5
bfb7be8e209030d6a9841aa9864bbe23

SHA1
c3918cf9023ec34581e9c6c6d2de137ed74153ba

SHA256
9dc0984525258977808ac866a174e73163592bcbed4c88c9c46ccf31193f2fdb

SHA512
0e1ed6288d5caec6c43ecc973fbc21dbc811ff839708acfb7bc478897f802dffab4ebe614f7e5e888bf86f6d140ff79685f7d39eb9362b94a51dfbb79d32a042

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
121KB

MD5
8b4d1baf18de90efe6a96aebd498177b

SHA1
d5bd7022fcdce1c320479df944f17f0cd6d708b0

SHA256
f0df04e3e075a233d7a1830d71154e1f43d52113b0a5f80e9a9fec90bea49ddd

SHA512
7b1807de46cb10b27c27640e1ca1797f4f163cfdca1df78f5128ed34e6117eaf6fa406aa15b4acc23937ba3503229e1b99197595f12b29752616b26596aa25c3

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
121KB

MD5
adf9ba0cd0e7b3799f8340d3871eda6e

SHA1
5e536a48aaf2b80ba63b26d72f3856b553dd4a7e

SHA256
4ec8557df35f9bd8f97c308f58666e6bf1c310ce892baeae6eb1ef3c6f218fe1

SHA512
58273d9e49b5444c6481b3fa9a3a04d573b84f2e37bbc13e5a4c720235b0a7f2dc094ae66aa14fc81ead056fe38bde59e2b7fc83ec529f58a779498758124f21

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
121KB

MD5
e29f5681f5a6f2d772d74fb0e73ba45f

SHA1
a1c2bd41e2e5ee6274f21d6a28b7c58ac75dccd0

SHA256
d6c5b7da44c98b0f7e60c628c89f4a46c3f05c118045490d924c71302f537ca3

SHA512
a6d7064da54fe768e4c402a402094ec0f3b60eff512de3f6860c1e9685843f95de65de23b8cfbd577ddd085f70ccbef8134b8c4711c217f72dd108110dffba1d

Download Submit
C:\Windows\SysWOW64\Hfmpcjge.dll

Filesize
7KB

MD5
5a1d6c42592d61b7a783b68541a458fc

SHA1
f7a03d1141c3938c3a6104b646036cf555af5729

SHA256
2bfd670f5d01cbc7ba7676c79d305249fb0740ee509a5d34515709bddcb9b59c

SHA512
330ffb41a25f623ce5f8eebd806ac2af9e910e3d73339bbf415907dd9c1a11d9c30c619288fad81a5b853526af8071accf0edab0a60638f4ab6d7f58973f9db3

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
121KB

MD5
3e6ee2b9b8f8b89872b224dcaea7560f

SHA1
c2856897410328ddae16e9a1459f88926f6d4df1

SHA256
fcdc09ddbc79b91cd594f6104b462c829ddf5173cbb257debdaab76bd51933db

SHA512
b49d5ed7373822f27b6d10e87e5852ea65a4975c040b70b1bdc9df2275439b1aaf93b6d4629709c3dc0913caacbbf70b17cc63c19dfb4c640ce0a2a42bc79159

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
121KB

MD5
5c4f31a86974712b609f55de32a8c00a

SHA1
2a032b32053ff30fb96e10bac4d6274eab772293

SHA256
f11f0ac7e8c6724fe621898dbc0022c4353a09c2db61881033fe2df43c0c973d

SHA512
29d059b56dfbd32f367a9a8ec0af64b5c6f8d5618407016d2290857f875f973db54dbdaa7489da01bf2fb99e720ca5db071aa80f789c690575118bbf2bc27acb

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
121KB

MD5
dc6c57473b9dabd136fa295ea82ec623

SHA1
2b9103a2d1d5118c51c62dbaa77f8c88dbb68b0e

SHA256
0b539c5db0f4edc8bf98291888cd126f7e167ca62baf8a9083744f7eb7488aab

SHA512
be83753b61000ec99ca97ee6e49fd8fb3140ab6317971095cb02ef112b60e13e9ce98c9bbeb537cba706c35646989e801a95c492470707824e70713d3e3fb3b6

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
121KB

MD5
6e3ace2b9e3d60d708a7dfffb4fa42b1

SHA1
97cf1d6a4a37c0d0b20ae1a41d9aaec3ad9f654c

SHA256
c7550794ba140e99e90a9209c3da16b6c476883f08961a5e0665b6e3cfcb8ad0

SHA512
fa2a00815226e51f1db69ca9f08e0cad408116cdc11ef58803a59b665b364a43893edea27c4692a0fdb9e1db5e9462f58d1a7b17d9c253e153d5d716c14159f7

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
121KB

MD5
6da8aeb72a857e179c9e2ae57573a13d

SHA1
1a62c07d3f27dafc59963b860f29f71d3c5bd5a1

SHA256
3bac83c413937d11cedea7aceccd96b87e7e24a14937b0b0903f6d696bd254d4

SHA512
3df848f12f283209f8fbf0057c898e7e4837c5390b6aa4d8e5c8ab8247de5955f20bc315caccd24b0a3974bea1484b9bb061c8f5601b9b7e27da0abecf98e723

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
121KB

MD5
63e40b0c56a058f6806c3d17b660aab2

SHA1
dd237d0a236626392ea8b24491111b440cfc427d

SHA256
ef57fc5cf5b6f451b9e8fad30fd96b2da0b6de0d5ce9443cc3b3046d32b7c579

SHA512
c3c8dd3706f7df496d52841ec6ad7e9674fce6c43ea5df00a8b6ead077ad87462b7462e447d891fc9cba03ea7b28d513d157bd9d3bd0e1419a55eaefbe4bdb00

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
121KB

MD5
e8c74fea5a18c9fcbdfe8af470993836

SHA1
8ce24b230a769370fa04eeb9e588259936db2c2a

SHA256
533ba432f0ae7d9cc5b7c6e022a968b7bfb50238524a9cc2752665b06c2ea737

SHA512
e9d2f81f0200a7b135523c9e26ad9332bde1c2b0d20894dacec4bc2f81e52a238d5560a471faad218812b7558e733c31b0ef5d33f962ba13298bdd5c5ddc0771

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
121KB

MD5
66d5d64471f82c40117051013e132cbf

SHA1
582373185552eba51553d89d45c09079215d0677

SHA256
243e5aac969bb7744d3d6985bf26a7c41bb2f86ed0f1e5b9757b56b7570bf808

SHA512
a3777f09147da2f09d5a8e1d8fc4db6601b3598525754b5bfe0b4896cffc36f4d1dc2a6fadd6a0e71a31f35ed0b6ed12b2f4b22cc8104780bf8e4a3400d038d4

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
121KB

MD5
ef4ac536d78b8765ca7bd0193e553f85

SHA1
c9c9d8ec606ee24e210e68f63c9ca894e3f7a1a5

SHA256
02419f71e4b923cefcacf9a4fba5d26fa52777696bc1ad49a3a57354a78ec10b

SHA512
d3cfd1890a596175c86eec543a9c5051144d8302a9226be9077751b831097dbdafa30e7e2aa565df5de69d5786af921d06d7964326b2b72987db3b750f3991e9

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
121KB

MD5
436e0c1f379868b323224eb4212311f2

SHA1
f56a38fea1cef34ef09a473748e12ecb0703ad60

SHA256
60ef6bc4ebf0416f4b6b38dcf3679f5f7e589437d8cb6e842f47ceb67050dbb2

SHA512
aaf8c058ef8d4ace0f1b3a717b640cbbd19aa615f689fb75fe40fc527cf1d12e2bf9c04d07fa2030111c72adc166db1896c69222b00c7740cb86407b9e9e6799

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
121KB

MD5
bfc742594d82d33471acf1c72bee7f7e

SHA1
0f2e970de2c38595806fd5b66cc0951ba2306e8e

SHA256
c94520a3726b695f811a026bb9d83127ea35b1ac31bb3d3d33801566e9385b43

SHA512
b3fbc14facf34b8ec35260ed590292cab8b580446fc2a8be14f813fbf5cf924e70c1d40ae18d47a874709d7bb3b8446888074583e1861c3dc653aff8f3cbed6b

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
121KB

MD5
8916cdb0545a73e61c4345e10e28acb0

SHA1
bebb330bc6523faeaa1129f3c5843c8a4247f4d6

SHA256
e80516d6f8facb4b6e1e00fe1a26ccd59d5a4d474838aabe7cc0d43196775700

SHA512
551b826fcc9aff3348bb9e198e6bfb2d95114398587801f53736c0a08f0f2302f32276d0ce44062b59c8d364999e0ca3e35466de0bc51b7d2ffc0c48d9e3e335

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
121KB

MD5
e7fda6aef50a19e5e44e0d38865d3fcc

SHA1
49780073c1451959539611a0f0acc6b6029e44aa

SHA256
ba455bf40f14294e96d0fdb73f9fb316c60305249350accf8dcb1e9035793797

SHA512
ed333d9bac7dadb715e46bbb02108edbc0ef969df7ebcf5228adf4728c57d2e55880a157c2edddbf07f7c856961be33acc3e1bb4d2d04439afda922f51df17d9

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
121KB

MD5
b6241bc59f5263048b4bfea3cef586d8

SHA1
d057d2aaba0eccc0d9434ec8203b67ec69e8003b

SHA256
c6f31677822a2fc52be06013102eb72803aaf5a06b553773edfced5b7c5a7174

SHA512
6ec2c7dead994ae57f97cf33c70ac423df89aa58809ca753b6b5c969ccc3546b212a5e3efcd1a0f11f2594f851b82e49e0f4e1806736c311a227bdfe32c66b67

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
121KB

MD5
e866b89c9903841122e49ce4c5efc146

SHA1
765ca324e966ca8fe0e663ee8ad5f75e49d156be

SHA256
0230301f3945c86596af56ada4bc1b38d953c6d1c58a7b8f0b024d3f60ec8cb0

SHA512
704808a72d8b0c91f7452e4ce5b1dc7c21d9999a23d5cd7d7af35fb6311b6a0267c3da64ca4d11dafa5e2abdeabfa642d540c1f99dc4d48a5bc99ee5cf7659c4

Download Submit
\Windows\SysWOW64\Bkdmcdoe.exe

Filesize
121KB

MD5
c48227dac28a3b12802c58ad386f8c03

SHA1
9c916ded21151a566d26c7c31d806d32e159f15b

SHA256
bccab35739715c966aafa1231071ed58f7ca7f987fd8b299b0134e94f2e1fc7e

SHA512
a005f4b5e7f6ca10a7db16794b26cccc23ef8f5254c4119a047145664f65c81acf5960c313ff8f4af662f456e66082a85276ccbf2c30604c4f52a1a0be8c97f6

Download Submit
\Windows\SysWOW64\Bnbjopoi.exe

Filesize
121KB

MD5
37e80eae1417d47697c4091f639d4121

SHA1
c7cba9f8308801bae6194d32f0e52b56fbd46e18

SHA256
af41d3a68f999e27f0fccf39ae6d259336924ff842a2bec682ee9668443184cd

SHA512
1901633e6583f55f89746dd542e5ab731c2f82d75da97c9f78b1056ab934dac89eb3b249cf4fc6ec615b5f8976031b011cc8123703149f998426b87d9e6e9c29

Download Submit
\Windows\SysWOW64\Bnefdp32.exe

Filesize
121KB

MD5
28ebcc45bfc36661998d879aa64e908d

SHA1
97263128d37a3a76e05bf55662ae50f138aa4ba3

SHA256
f29d24f9c95c0cdf99908897540dd61177c25fcb6a795d7b28a602b6e771da61

SHA512
f77dcafacc395aa9dda013baddbef2e4f3f811fa3163474ddb42c490f67a7d9058f5efa0b0e93f14250971c6ae72fdb50ebf960512bf0ef73dccfd5f2eb9c16f

Download Submit
\Windows\SysWOW64\Bokphdld.exe

Filesize
121KB

MD5
bb065a62f552ef4710299049539968b8

SHA1
af2fbcd99193ad8de6d585bede65240ef0a2c4fd

SHA256
8d09703d6cb76462478d634b0150dec10448f916033630c6de60c1e30c946241

SHA512
0e954d98a39af1387ad8e7e98f66eccf7ffd726b75f16816a822279918b90a556bf9ff33ab3f0786db0d5ae3b2986dcb138ec7e1878c5448a455fa1287ae2e6a

Download Submit
\Windows\SysWOW64\Bommnc32.exe

Filesize
121KB

MD5
e17638f1d49f76bfc6a2d5727e3df0b9

SHA1
a917d05d0c512999966999b905605f9dcd85bbe4

SHA256
6d9c8b17d731e5e248b989780cbe59fd99f4d391e07aaff9c3ffd0f7476147eb

SHA512
e0d580ba52da24daeddc068a09dfc0a24c60e55d2aa011b46c9dbdb95c48454958067e9cd15dab2ffdc0129b9b2ffdd4f0895015fd1c19919e51329abdcc5c00

Download Submit
\Windows\SysWOW64\Ccdlbf32.exe

Filesize
121KB

MD5
c1542156546919f5a38d7ad6f040ea32

SHA1
8c4da489ea50a01b1a157411060db06b644a8c52

SHA256
3e72a618d500b42a6758c4930b060b1e3eb4ea040fd1d4691a7ac83f1a16a851

SHA512
c3cb8d79d3b1985b666ffe4bf79034fd26791ee4234359f65247725cda26aa148114ce7293026d721d671c9204f6aa9da023c97c2d92d32782ebf165c0454c3b

Download Submit
\Windows\SysWOW64\Cdlnkmha.exe

Filesize
121KB

MD5
8c833ecc016ece43827ef69df0e36086

SHA1
3d627576fd7ac7262cfd605cd8dbb640d5ba55ca

SHA256
224d6bcccf26fa09fdda4130e09065d330b03c88b5fb4a4770ba0389e36a2522

SHA512
4d63a464975f27b7d46be724f0569d2c2bb1b4f280451b4316f292bce9d992e7b74efafc1536d9c7c6e6693f9bedc359510d6942689cf1e94e37721915454b3d

Download Submit
\Windows\SysWOW64\Cfeddafl.exe

Filesize
121KB

MD5
753e42d13f2984f29f1887d448f06405

SHA1
bf5490fc337a1267ec2456d487f17529c9e381ac

SHA256
7170778db1fdc94f679ee94e1622c77e1037d5cad69e28424a7c1277b20006fa

SHA512
83bd9e43be0b5aaafb7a1cb888b769cf4b062d92db0a30b1c671c7f0b74b6534361ae52ef57219f4d091553d2a179b6f141537fad68fa545909425442fb44d00

Download Submit
\Windows\SysWOW64\Chhjkl32.exe

Filesize
121KB

MD5
b37c5573eaeee9de65f4843278f1597a

SHA1
f4ff3803c3552f6e8dc600d9555835887467518e

SHA256
a49c9fae6b7172ec4f0c8b96a32d5f1d9ddddd4cb793542b50c7cf438200476c

SHA512
145aecccc07586530b1d1423712fc6f6f10b1ea9b82c2781de17643cc77f3cfbee864b0e09c8ade97a0e0a2ee9387d57766bcab053240d7c2f9d62eec4563349

Download Submit
\Windows\SysWOW64\Cjbmjplb.exe

Filesize
121KB

MD5
c6173c62fc131d412fd51263c602918b

SHA1
e0c86060dc5f7871887db3d4ce7ac4b978a1985d

SHA256
d4ac39ef11654af7cc9d9cc9d8fe0da6dd9b624cdefaf07824f5b3d94cd7a998

SHA512
e71e53767e5ee66471f8d9242834207fab325fa2b3c49703ed9ac47895a850e123f9e8712aac1e36bf83b95f77abc1ebfcf8ff61c8a5629f1c45a13e3b9d119b

Download Submit
\Windows\SysWOW64\Cjlgiqbk.exe

Filesize
121KB

MD5
18fc1ec64ec0e8f60f28f3b413647799

SHA1
4cd160fe7fdd09e774950ed50cb24f4aad4c2f71

SHA256
aac5a12d70bbf812be8016396f118715129aabac7ef1f9bfb848c12409fb4085

SHA512
fd396282cad6537472141a1b341eb4331dfc1fa9a74b01f50f94031c8ea9873a356ac19d66e07f53180ac3567e833c6c566c7a0ecfc16b922a5b594a78f6f887

Download Submit
\Windows\SysWOW64\Ckdjbh32.exe

Filesize
121KB

MD5
0226dd36db3602140249ff44b701a59e

SHA1
6a5668a6d5a1cdb9429fb971b5846a91a3673981

SHA256
da5c3d9a1109c871c17fd1a17fa249a8074c3736f881e60865d037417f5be06b

SHA512
e8e10fc4150cb63342266451d890fff4646eab892f9d0a9eee4d4bf92a898bf376175884106fe61feb75014d8e18e2478ad2f68caf57b71a2dec13382da0f48f

Download Submit
\Windows\SysWOW64\Cnippoha.exe

Filesize
121KB

MD5
113eefcc674efca28cb26ff23c481022

SHA1
7ba17ad75a59e2dd995a8fa3bb00d1c7c7571c13

SHA256
8e064644b713fe8f3cf82bb4f12adf474aa93cbe0ef8a89c8e7d907be1c341a4

SHA512
0f72671293fce1f31072e1b850eeb946992ac8e53148c4db2e6135d113e90c7ce37607ec8608e9b638a62c5b5c7ee6645648f6915f8e4411dcc79d79e84d01d9

Download Submit
\Windows\SysWOW64\Comimg32.exe

Filesize
121KB

MD5
034a83c9b5228b704ddd48f504e86296

SHA1
c111dae9639f146a7eb7c359a0e51d80552ef35d

SHA256
8cdce57887e4f3aef41a9c1770a73df7496b8f5192b6a2a8b6f3135f3bd9c0c8

SHA512
51dcabfc44abec72d4fd67d3bb896db202b33fdf100933179eb02ebf7cbb2b5aa4d7c935a07574ef45a698e34422dfd2e05e21cfcb61c398ac6fcfd7dd71e363

Download Submit
\Windows\SysWOW64\Ddagfm32.exe

Filesize
121KB

MD5
61f45773b5593583c7cab956464b3d6c

SHA1
6d5e3adce243626c5e04219dabc719a1889f5bb4

SHA256
456a1e2f27c6168c90ccb5663d31a83482cb246465c17def9eb39edd70fdecec

SHA512
9393bfd9d206fa86784fbf00d90fdefcdba1f1393ab3f7d5a7473fc2fbafe87c2c4d3d2708e12e15b5305b822134e0a35c90a53e3d258dc7c9623b87f01cc8d7

Download Submit
\Windows\SysWOW64\Dkhcmgnl.exe

Filesize
121KB

MD5
1859a0c3bf4e4f31dea3ba084dc24398

SHA1
ae2b3f61446753af5fc52f868fce96bccb7bb43d

SHA256
346fedd81aaadadf1cb17af561dc722021559595d1ff273bbb9affe3fccdc572

SHA512
e05fbbff5862b20e28077383a642e19b0b1914cfe739833cbf90cfbf52bc9e5d301fa8d03f80189d403304c90a3a5a9489f2f86e2c0a18ad346737cc4281aee0

Download Submit
memory/236-146-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/344-20-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/440-248-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/440-240-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/440-234-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/492-344-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/492-335-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/492-345-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/976-305-0x0000000000330000-0x0000000000377000-memory.dmp

Filesize
284KB

Download
memory/976-317-0x0000000000330000-0x0000000000377000-memory.dmp

Filesize
284KB

Download
memory/976-299-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/980-250-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/980-255-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/980-254-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1180-133-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1336-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1336-262-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/1336-270-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/1492-179-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/1492-172-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1572-334-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/1572-333-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/1572-332-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1616-222-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1616-212-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1676-210-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-232-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1792-233-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1792-226-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1804-381-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1804-377-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1804-376-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1820-271-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1820-276-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1924-443-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/1924-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1952-193-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1976-94-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1980-87-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/1980-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2044-277-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2044-287-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/2044-286-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/2084-475-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2084-476-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2084-466-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2096-441-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/2096-429-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/2096-423-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2124-288-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2124-298-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2124-297-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2316-454-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2316-444-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2316-453-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2340-356-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2340-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2340-355-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2428-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2428-6-0x0000000000310000-0x0000000000357000-memory.dmp

Filesize
284KB

Download
memory/2444-319-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/2444-320-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/2444-318-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2448-26-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2448-38-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2564-410-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2564-411-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2564-401-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2568-400-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2568-395-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2568-399-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2712-45-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2728-375-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2728-357-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2728-374-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2788-53-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2788-63-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2788-66-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2824-107-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2824-119-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/2828-159-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2868-465-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/2868-455-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2868-464-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/2896-393-0x0000000001FF0000-0x0000000002037000-memory.dmp

Filesize
284KB

Download
memory/2896-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2896-388-0x0000000001FF0000-0x0000000002037000-memory.dmp

Filesize
284KB

Download
memory/2916-491-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/2916-490-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/2916-477-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-331-0x0000000000270000-0x00000000002B7000-memory.dmp

Filesize
284KB

Download
memory/2944-321-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-330-0x0000000000270000-0x00000000002B7000-memory.dmp

Filesize
284KB

Download
memory/3036-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3036-422-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/3036-421-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads