f105c9fc3c989fedf42b7d13f6c9996e44f317e74f130311bce6664f217ca79e

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
Size

434KB
MD5

0f34d2d4ddee8c93f089c8a1186d17b0
SHA1

346f46e1657d3772c26ce3115591f6e40d5216f1
SHA256

f105c9fc3c989fedf42b7d13f6c9996e44f317e74f130311bce6664f217ca79e
SHA512

ba72e5dabec1f24a1578e7d0158e303c5fc8e926344248e864d1e53957a12efcccaab1468dc3743514bdf0d814b0d41152dcc95a6220221ad991f76c51286f8a
SSDEEP

12288:tRDZxDmOQjkMmVY2gsvmQjBImVYymVY2gsv:H9Y2gsHYNY2gs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbdocc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bloqah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqbenep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cphlljge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flabbihl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpjiajeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eflgccbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Affhncfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkdmcdoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eijcpoac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbflib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckffgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflgccbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbflib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bloqah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnneja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambmpmln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdocc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbkeib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnneja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoffmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkdmcdoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baqbenep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphlljge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddokpmfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eijcpoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddokpmfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebbgid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cljcelan.exe

Executes dropped EXE 42 IoCs

pid	Process
1748	Affhncfc.exe
2912	Ambmpmln.exe
2340	Aoffmd32.exe
2724	Bbdocc32.exe
2652	Bbflib32.exe
2704	Bloqah32.exe
3004	Bkdmcdoe.exe
2592	Baqbenep.exe
2484	Cljcelan.exe
2320	Cphlljge.exe
632	Cpjiajeb.exe
2016	Cbkeib32.exe
1756	Ckffgg32.exe
2464	Cndbcc32.exe
2280	Ddokpmfo.exe
1484	Dnneja32.exe
1428	Eflgccbp.exe
2884	Eijcpoac.exe
784	Ekholjqg.exe
2036	Ebbgid32.exe
2424	Fehjeo32.exe
592	Flabbihl.exe
2440	Fjgoce32.exe
2980	Faagpp32.exe
2224	Fbdqmghm.exe
1720	Fioija32.exe
1680	Globlmmj.exe
2896	Gbijhg32.exe
2700	Gejcjbah.exe
812	Ghhofmql.exe
2672	Glfhll32.exe
2832	Gmgdddmq.exe
2632	Geolea32.exe
2420	Ghmiam32.exe
2080	Hckcmjep.exe
2168	Hejoiedd.exe
1304	Hlcgeo32.exe
1328	Icbimi32.exe
1028	Ieqeidnl.exe
2808	Ilknfn32.exe
2824	Ioijbj32.exe
2288	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2068	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
2068	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
1748	Affhncfc.exe
1748	Affhncfc.exe
2912	Ambmpmln.exe
2912	Ambmpmln.exe
2340	Aoffmd32.exe
2340	Aoffmd32.exe
2724	Bbdocc32.exe
2724	Bbdocc32.exe
2652	Bbflib32.exe
2652	Bbflib32.exe
2704	Bloqah32.exe
2704	Bloqah32.exe
3004	Bkdmcdoe.exe
3004	Bkdmcdoe.exe
2592	Baqbenep.exe
2592	Baqbenep.exe
2484	Cljcelan.exe
2484	Cljcelan.exe
2320	Cphlljge.exe
2320	Cphlljge.exe
632	Cpjiajeb.exe
632	Cpjiajeb.exe
2016	Cbkeib32.exe
2016	Cbkeib32.exe
1756	Ckffgg32.exe
1756	Ckffgg32.exe
2464	Cndbcc32.exe
2464	Cndbcc32.exe
2280	Ddokpmfo.exe
2280	Ddokpmfo.exe
1484	Dnneja32.exe
1484	Dnneja32.exe
1428	Eflgccbp.exe
1428	Eflgccbp.exe
2884	Eijcpoac.exe
2884	Eijcpoac.exe
784	Ekholjqg.exe
784	Ekholjqg.exe
2036	Ebbgid32.exe
2036	Ebbgid32.exe
2424	Fehjeo32.exe
2424	Fehjeo32.exe
592	Flabbihl.exe
592	Flabbihl.exe
2440	Fjgoce32.exe
2440	Fjgoce32.exe
2980	Faagpp32.exe
2980	Faagpp32.exe
2224	Fbdqmghm.exe
2224	Fbdqmghm.exe
1720	Fioija32.exe
1720	Fioija32.exe
1680	Globlmmj.exe
1680	Globlmmj.exe
2896	Gbijhg32.exe
2896	Gbijhg32.exe
2700	Gejcjbah.exe
2700	Gejcjbah.exe
812	Ghhofmql.exe
812	Ghhofmql.exe
2672	Glfhll32.exe
2672	Glfhll32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cphlljge.exe	Cljcelan.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Qoflni32.dll	Cpjiajeb.exe
File created	C:\Windows\SysWOW64\Omeope32.dll	Cbkeib32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ambmpmln.exe	Affhncfc.exe
File opened for modification	C:\Windows\SysWOW64\Cljcelan.exe	Baqbenep.exe
File opened for modification	C:\Windows\SysWOW64\Gejcjbah.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Eijcpoac.exe	Eflgccbp.exe
File created	C:\Windows\SysWOW64\Gbijhg32.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Ebagmn32.dll	Ddokpmfo.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ooahdmkl.dll	Bkdmcdoe.exe
File opened for modification	C:\Windows\SysWOW64\Cphlljge.exe	Cljcelan.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Baqbenep.exe	Bkdmcdoe.exe
File created	C:\Windows\SysWOW64\Cndbcc32.exe	Ckffgg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddokpmfo.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ebbgid32.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Bkdmcdoe.exe	Bloqah32.exe
File created	C:\Windows\SysWOW64\Fioija32.exe	Fbdqmghm.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Aoffmd32.exe	Ambmpmln.exe
File opened for modification	C:\Windows\SysWOW64\Bloqah32.exe	Bbflib32.exe
File created	C:\Windows\SysWOW64\Fgdqfpma.dll	Cljcelan.exe
File created	C:\Windows\SysWOW64\Ckffgg32.exe	Cbkeib32.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	Globlmmj.exe
File created	C:\Windows\SysWOW64\Hqddgc32.dll	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Aoffmd32.exe	Ambmpmln.exe
File created	C:\Windows\SysWOW64\Ddokpmfo.exe	Cndbcc32.exe
File opened for modification	C:\Windows\SysWOW64\Flabbihl.exe	Fehjeo32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Cibgai32.dll	Ambmpmln.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Eijcpoac.exe
File created	C:\Windows\SysWOW64\Ajlppdeb.dll	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Jamfqeie.dll	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Affhncfc.exe	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Baqbenep.exe	Bkdmcdoe.exe
File created	C:\Windows\SysWOW64\Ebbgid32.exe	Ekholjqg.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckffgg32.exe	Cbkeib32.exe
File created	C:\Windows\SysWOW64\Ekholjqg.exe	Eijcpoac.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1096	2288	WerFault.exe	69

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddokpmfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkmdfq.dll"	Aoffmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll"	Baqbenep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll"	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeogmlj.dll"	Bloqah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll"	Cphlljge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idphiplp.dll"	Bbflib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cljcelan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll"	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambmpmln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbflib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bloqah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoffmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll"	Ddokpmfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckffgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddokpmfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll"	Cljcelan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cphlljge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkdmcdoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baqbenep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll"	Cpjiajeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebbgid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckffgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eflgccbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll"	Fioija32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1748	2068	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 1748	2068	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 1748	2068	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 1748	2068	0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe	28
PID 1748 wrote to memory of 2912	1748	Affhncfc.exe	29
PID 1748 wrote to memory of 2912	1748	Affhncfc.exe	29
PID 1748 wrote to memory of 2912	1748	Affhncfc.exe	29
PID 1748 wrote to memory of 2912	1748	Affhncfc.exe	29
PID 2912 wrote to memory of 2340	2912	Ambmpmln.exe	30
PID 2912 wrote to memory of 2340	2912	Ambmpmln.exe	30
PID 2912 wrote to memory of 2340	2912	Ambmpmln.exe	30
PID 2912 wrote to memory of 2340	2912	Ambmpmln.exe	30
PID 2340 wrote to memory of 2724	2340	Aoffmd32.exe	31
PID 2340 wrote to memory of 2724	2340	Aoffmd32.exe	31
PID 2340 wrote to memory of 2724	2340	Aoffmd32.exe	31
PID 2340 wrote to memory of 2724	2340	Aoffmd32.exe	31
PID 2724 wrote to memory of 2652	2724	Bbdocc32.exe	32
PID 2724 wrote to memory of 2652	2724	Bbdocc32.exe	32
PID 2724 wrote to memory of 2652	2724	Bbdocc32.exe	32
PID 2724 wrote to memory of 2652	2724	Bbdocc32.exe	32
PID 2652 wrote to memory of 2704	2652	Bbflib32.exe	33
PID 2652 wrote to memory of 2704	2652	Bbflib32.exe	33
PID 2652 wrote to memory of 2704	2652	Bbflib32.exe	33
PID 2652 wrote to memory of 2704	2652	Bbflib32.exe	33
PID 2704 wrote to memory of 3004	2704	Bloqah32.exe	34
PID 2704 wrote to memory of 3004	2704	Bloqah32.exe	34
PID 2704 wrote to memory of 3004	2704	Bloqah32.exe	34
PID 2704 wrote to memory of 3004	2704	Bloqah32.exe	34
PID 3004 wrote to memory of 2592	3004	Bkdmcdoe.exe	35
PID 3004 wrote to memory of 2592	3004	Bkdmcdoe.exe	35
PID 3004 wrote to memory of 2592	3004	Bkdmcdoe.exe	35
PID 3004 wrote to memory of 2592	3004	Bkdmcdoe.exe	35
PID 2592 wrote to memory of 2484	2592	Baqbenep.exe	36
PID 2592 wrote to memory of 2484	2592	Baqbenep.exe	36
PID 2592 wrote to memory of 2484	2592	Baqbenep.exe	36
PID 2592 wrote to memory of 2484	2592	Baqbenep.exe	36
PID 2484 wrote to memory of 2320	2484	Cljcelan.exe	37
PID 2484 wrote to memory of 2320	2484	Cljcelan.exe	37
PID 2484 wrote to memory of 2320	2484	Cljcelan.exe	37
PID 2484 wrote to memory of 2320	2484	Cljcelan.exe	37
PID 2320 wrote to memory of 632	2320	Cphlljge.exe	38
PID 2320 wrote to memory of 632	2320	Cphlljge.exe	38
PID 2320 wrote to memory of 632	2320	Cphlljge.exe	38
PID 2320 wrote to memory of 632	2320	Cphlljge.exe	38
PID 632 wrote to memory of 2016	632	Cpjiajeb.exe	39
PID 632 wrote to memory of 2016	632	Cpjiajeb.exe	39
PID 632 wrote to memory of 2016	632	Cpjiajeb.exe	39
PID 632 wrote to memory of 2016	632	Cpjiajeb.exe	39
PID 2016 wrote to memory of 1756	2016	Cbkeib32.exe	40
PID 2016 wrote to memory of 1756	2016	Cbkeib32.exe	40
PID 2016 wrote to memory of 1756	2016	Cbkeib32.exe	40
PID 2016 wrote to memory of 1756	2016	Cbkeib32.exe	40
PID 1756 wrote to memory of 2464	1756	Ckffgg32.exe	41
PID 1756 wrote to memory of 2464	1756	Ckffgg32.exe	41
PID 1756 wrote to memory of 2464	1756	Ckffgg32.exe	41
PID 1756 wrote to memory of 2464	1756	Ckffgg32.exe	41
PID 2464 wrote to memory of 2280	2464	Cndbcc32.exe	42
PID 2464 wrote to memory of 2280	2464	Cndbcc32.exe	42
PID 2464 wrote to memory of 2280	2464	Cndbcc32.exe	42
PID 2464 wrote to memory of 2280	2464	Cndbcc32.exe	42
PID 2280 wrote to memory of 1484	2280	Ddokpmfo.exe	43
PID 2280 wrote to memory of 1484	2280	Ddokpmfo.exe	43
PID 2280 wrote to memory of 1484	2280	Ddokpmfo.exe	43
PID 2280 wrote to memory of 1484	2280	Ddokpmfo.exe	43

C:\Users\Admin\AppData\Local\Temp\0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f34d2d4ddee8c93f089c8a1186d17b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\Affhncfc.exe
  C:\Windows\system32\Affhncfc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\Ambmpmln.exe
    C:\Windows\system32\Ambmpmln.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\Aoffmd32.exe
      C:\Windows\system32\Aoffmd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\Bbdocc32.exe
        
        C:\Windows\system32\Bbdocc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Bbflib32.exe
        
        C:\Windows\system32\Bbflib32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Bloqah32.exe
        
        C:\Windows\system32\Bloqah32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Bkdmcdoe.exe
        
        C:\Windows\system32\Bkdmcdoe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Baqbenep.exe
        
        C:\Windows\system32\Baqbenep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Cljcelan.exe
        
        C:\Windows\system32\Cljcelan.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Cphlljge.exe
        
        C:\Windows\system32\Cphlljge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Cpjiajeb.exe
        
        C:\Windows\system32\Cpjiajeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Cbkeib32.exe
        
        C:\Windows\system32\Cbkeib32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ckffgg32.exe
        
        C:\Windows\system32\Ckffgg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Cndbcc32.exe
        
        C:\Windows\system32\Cndbcc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ddokpmfo.exe
        
        C:\Windows\system32\Ddokpmfo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Dnneja32.exe
        
        C:\Windows\system32\Dnneja32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Eflgccbp.exe
        
        C:\Windows\system32\Eflgccbp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Eijcpoac.exe
        
        C:\Windows\system32\Eijcpoac.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Ebbgid32.exe
        
        C:\Windows\system32\Ebbgid32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Flabbihl.exe
        
        C:\Windows\system32\Flabbihl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:592
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Faagpp32.exe
        
        C:\Windows\system32\Faagpp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        43⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 140
        44⤵
        Program crash
        
        PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambmpmln.exe

Filesize
434KB

MD5
5d8498dff3a91811e2ee1dd4d83ebc3b

SHA1
1759710719ecb4e781f1876a060004b1314b03c9

SHA256
43fa576981f1fa2650cd749ead89175e0e58d814cc5cf0ddbba89ebd0d02a291

SHA512
a2bd4fd30c7b8d8edd6e73d10c7d0b5757fa5efe07455548bf17e3a8b155b63257720b96fbc397378898a9ccece0286c6c2b18d076fc1401aec86684f9113069

Download Submit
C:\Windows\SysWOW64\Baqbenep.exe

Filesize
434KB

MD5
74361c029f296b3cc3b20a4b5547b213

SHA1
adc625e11c583697e4902bc327c31f271069cdc3

SHA256
73519766210f2c0638897f19d47b7aa95f7bb35d4e3dd12f915676e3f7db5919

SHA512
f2c36994c814050ed516fb0426907dc1b4b3f53521b156f98702ef1d93e952bd02cae7e5f80a63b65094a38998fc1986d2619303c367b95e1b82f878666a2caa

Download Submit
C:\Windows\SysWOW64\Bbdocc32.exe

Filesize
434KB

MD5
942492c868bf5092ad3e2603bef1bcaa

SHA1
a78e8297f99c8d5d3d9d0af7aa20e40e1c5fc369

SHA256
99e78d32fd04cce1067c4f6a2f5e001d5919a128968c6c9fd6ecd984b7861030

SHA512
b351047c5d88763e9fffdcabc65db6a96e98603efae852a98f3f5de9818991c9be2828282545e084682fd197690ebfdd9d4dbba189386dbfce3629e7527ce9c5

Download Submit
C:\Windows\SysWOW64\Bkdmcdoe.exe

Filesize
434KB

MD5
15fc22f5f253601bc0983699aa852709

SHA1
1484d0a6eebabc2ce88caa98e16c292113da5cf5

SHA256
a08bd110d3ad713a22ce6efdb7ba0635deaabab3c1d8f34541fa57e541095c36

SHA512
aace93453db9a56dcb10d01a8ff3b2ddc9e7b78e00e98243f3ef9b19fca860a794122044d266e1b4ff4d5d0dd9f8f59407f5632cf85f2055ea7a448cf22d4c9f

Download Submit
C:\Windows\SysWOW64\Cndbcc32.exe

Filesize
434KB

MD5
f17c578aff54279c20225c468505e2bc

SHA1
462498b9d9559dbccb063f6f28773bea130d30af

SHA256
12ecadddf138f85f535b1e04f1c7cab50df88ac108717f19c790e6e4e0d6c247

SHA512
0ce0aa9555692d497681fcf4279f542762e73367ae0e22e4bfcfac12567c6a73451cbb48860525354d61dd15ba45d29ca3e0896f4921f9130749fd50b7b05d62

Download Submit
C:\Windows\SysWOW64\Ddokpmfo.exe

Filesize
434KB

MD5
31df113cef220b5a57812de5a1e314f5

SHA1
3d52485466f07c815e167ddd90a270ab91758e85

SHA256
7b7191f8da90d2bffdab473b39288a101d1de6748c358e2d5175e9266a86ed3f

SHA512
8f1afbb20b10e690977b2f3d0e7e1fb7a44ef9c4f57cba9b847e3299c51025fe5c3c6687d9575b988cfa05c1ce45cf7062d03c292934432732baf291d7ede783

Download Submit
C:\Windows\SysWOW64\Dnneja32.exe

Filesize
434KB

MD5
edcfa7f11f60f44f0e9c33d281d4b2b7

SHA1
f7370e9a23555f1e98d71bcc9a48732760218463

SHA256
208a55da0ee9983048a1c48d78742387f5547712157b189faafdb793e94c5e67

SHA512
5f42041377d6d139f13c0be64b26c126aedad6ed3a33507d222c0ba01f25e0b9f3107e78442a4a972cae9119109c625ca36e7589dbf7dee245d2f75841a549fa

Download Submit
C:\Windows\SysWOW64\Ebbgid32.exe

Filesize
434KB

MD5
b3eccde67e54acbe05a79607616a6ac1

SHA1
3914f8df7b8bdcb8a3f41e343128c7ef7376b479

SHA256
d573f0a2ff12c5a4c99fcd8a2252f4c31c2b583e1700a7dff66c9212df3e3545

SHA512
7bc1291c7f04247fcfaf7052dca7bba8ea94663b88cd3f9087394bcae5698b232f46237b43e733dc468f4bef4afa1cc74cb7cf56aa99378dd5143af8ffb0e9c0

Download Submit
C:\Windows\SysWOW64\Eflgccbp.exe

Filesize
434KB

MD5
5969b191c9cbffe3464a067abbb14267

SHA1
3a8f5792965fbfde8e22e2b8eee91b0085c27e59

SHA256
063ea6af0f8e55232995bfa6ceeaeb9e772ccec33bd310ca127d49d9a7af0fab

SHA512
c7d803db005b085ab2df18b4dbcdcad9d861b6127d52e4f781d1d5cbaa62d244971680aa5e714ceaed36f038e3df1b1c62c44f2afa8be0c292b9b814f3b049a2

Download Submit
C:\Windows\SysWOW64\Eijcpoac.exe

Filesize
434KB

MD5
c1c80d4ed9debdf0ec412d951c805d67

SHA1
9e91720654d38d575ffcaacb5d87547f251c7f85

SHA256
4772b462151d073bb48bd4666536b3cac94e5586a09f90f3d4d8b5825c9c62fe

SHA512
9dc162fe2d65766f515cb878e13fce8e70218fa3a25c9e029fbff0a5fcf222ef3c7dac0c77352e22adb78043ac3870cd84acf1c060dea1209232c6437628e97b

Download Submit
C:\Windows\SysWOW64\Ekholjqg.exe

Filesize
434KB

MD5
873a0ce5c78e0908ed73e633261d6978

SHA1
3e204af05cba291b93a91eb3561ac0fc3a3142bf

SHA256
f369c3318d9f2b110f28e76cec3e07167d5bdfb121aef59eecf684e1685ec742

SHA512
6470f74702c4a5cbad843ba716312c189cb5cc16c04ee04cbdbc12b0827a003a6604e9308b46053c7a109c71d54f41caac3f1d88b9574065a8a274fc06d2c7ea

Download Submit
C:\Windows\SysWOW64\Faagpp32.exe

Filesize
434KB

MD5
25e6af9f7087db14a291f83a71267eba

SHA1
1416336b13b98a9b03ac660558170bbd5764531d

SHA256
8366c4d556495c5224eb060ba9b55e233ba92d775fe27281c0f784a6f17d0b9f

SHA512
a6a816ef12238506bf549e8b7e8080fb5d6e72417f2a1ac59b4cf2a280137be5cd1f2ef780a1b24922bf7a728a4cbdc544f51cf617d7e2ce94800d6967f9c736

Download Submit
C:\Windows\SysWOW64\Fbdqmghm.exe

Filesize
434KB

MD5
7635d5bd397d361eeab4099e44f83e7a

SHA1
d2d37abccd370b585e151bb3b1771d27d02bbb24

SHA256
9cc3fb81d7918a3a450077a6b3d09b37e09c357427f63b6a4aee874673d1093e

SHA512
a66c4e25d907d3515846216a11f2803e8a411151127c32d71477b35615ef7a9c9402340454c5a83ad83b303b75d1af789dbd250938e79be05e83a8683f77da5d

Download Submit
C:\Windows\SysWOW64\Fehjeo32.exe

Filesize
434KB

MD5
086d3f8ad19facd71f44d720f90758b7

SHA1
2b661121e9f7949b90b53a84b45095d8d980fa6e

SHA256
d41fc29420425184aeef065bd0789faa547a26ace4ff3376876519954dfb4855

SHA512
e9aa94c99add57c03990d1f3011cc4616703d13b613159d2310b93ec42a8fa85ef6b08b31f6d84aa62552bb31f3dc3d2cb110831d29b520800d1fd36e0851a4f

Download Submit
C:\Windows\SysWOW64\Fioija32.exe

Filesize
434KB

MD5
bd4e803be0a2b131535b0f94bbe1315f

SHA1
f92141dc91690878cf2f0c1ce2722e8f63eee9cb

SHA256
7a5eb2bae5c19d709dba7fe2c358a1b4f75515dec515d6bccbc55e0bba6c754c

SHA512
62423c7fcfd57efa2ebe142efaed7e273af4d668e8d3e6fc68ba87a098dacabedd063c58637b3cf309e51a77cde86389c0c1d38fb5972d6021b94f7ff705e0fe

Download Submit
C:\Windows\SysWOW64\Fjgoce32.exe

Filesize
434KB

MD5
5014989e8469fd6f7d03437b8bcb6566

SHA1
16a303900044e64c77e11133dc1817ac005cece2

SHA256
d331b0083107ca3383ac8914d30ef670f7c311c2f2350cb185075fb75fbbb65c

SHA512
e42ae886e2dc0414eab59f47bf0b42f7fa8602161899e9eb523b5f362f050828e24bc96f02c053dab4d27138750aca6b4c27ddabc7d4d92a1faa36592f429346

Download Submit
C:\Windows\SysWOW64\Flabbihl.exe

Filesize
434KB

MD5
07b11063422f6fb02301413e64278e5d

SHA1
d864b64791323de2f6def3cf61c4dc1942e48b88

SHA256
5eb94e9d82dc70d25c9e2f4a7789eda1dedd319d22cb13de64495e77c65026d7

SHA512
6ac76b39bb074cbb71ff9038979312425aee5426ac80fbad200580932d6be29e2d4f1feb904bb475e17e6fc08cbb556f3704759e3200de05f040d551199d6670

Download Submit
C:\Windows\SysWOW64\Gbijhg32.exe

Filesize
434KB

MD5
349a8a59494bb03e9c3f8285439504cd

SHA1
da029cd7023519003d00c51fc976a11014c129e2

SHA256
38465d780e7ce1ba4799962264f71425af15c8bce8c93ce1dc16b7630541971c

SHA512
87c12dfb4f8f67ff6b9db737a94933c87dd020a8aff3f35c1f9870e6159d40ed60c3c29cc7d6c0532ff40afaa4309a38b5623d39bca64c6ba7a2e877c59d653c

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
434KB

MD5
395f690c64e583059f9a989780f5b1df

SHA1
eefc3f473726a6a3ee8125b4d08732fb75dc9445

SHA256
09bc6e8da0bed9d88aa12da6be1d06feeb28fad47ed1ce80390dc42ceaeef1c6

SHA512
8a2423870ddb19c92d02803ee58e84bcdadfb37ef424cc2a282736fe8cee3f3d2c9935098d91d6c7bf6768d63aa1631952a198ce5bb7d96344372ec4731b6289

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
434KB

MD5
15a4cf888ee44da2414616aea4c1fc41

SHA1
47d269089bd2b81afd06414cdd78c64df1bfebd4

SHA256
4fff2b7f030a53c0b618b98f325fc6356b4671e39ec1bf6703c6fb57de3e054f

SHA512
1507ec2048788c1dc1236f24a4c7dcd833d92a82152d10d25fb52b7068515959125845572cacd090b9bc0f762f34a2f5306bc85eaa8d44625982f9c685949b1b

Download Submit
C:\Windows\SysWOW64\Ghhofmql.exe

Filesize
434KB

MD5
b1ad654f120a8b4ed926b0ffe8f9b800

SHA1
587c4f70fefba4ab95aa9826a5db9054cd972a39

SHA256
7e54d66517fc03d5e3b73b783dd522f2413f96e2bafd4e776623d10d7563a59f

SHA512
73a2be45c36796ec80892092ac14074f36867fd9db6eaf1fd79a679791f89380bbb594a721ff8e9dabdcae3ba67b094dbc829937d20411194f5b6360f12889b0

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
434KB

MD5
e1a433f432b9a07a07d5932861ea380e

SHA1
65b22730aa2b203b9dcadb70547116f4a896d2fa

SHA256
6aff9123644140c1a99007baffc26734199a432bd4bdebfb4fbaa1ec7fecebbf

SHA512
41f96a2fa1ef7b67f6b398856a105c0c4545ea3be433e44957cfef797d76686e2eab1bf4a8c252e184e13387deb08f59069bef84fc0ebacd075e7f422da81820

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
434KB

MD5
725a4b18b227539234c9564bebfe1744

SHA1
6afd1953754fcc81d7e5ca7efb15690a121be4c6

SHA256
b3410c9fe55457bcc36c3a6ac75f70d5fe25acf5a6640d8a4402afb1c99d6d61

SHA512
650d9c0a233c6e8d6dfb74007e51d0e5885d2b6e0799fd228361a1398f65ecc7ba99b7d4694fd7fd3bd07b8f1b8878fbbde2b3dca948eae989f6113df802e9cd

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe

Filesize
434KB

MD5
24f8b8b969f9b4295192eefdb2b6e5f2

SHA1
b1572c0b558d7572eadd428f9950e2471a640a03

SHA256
4ad25c5117cb7ef961d9c1299582fc38def36e0996af3be38ed5117063a1deca

SHA512
e3ed9e5f018263ca5997ee05bbec47b507195681b243ae430103287e1e374bdd2557850dcc452441c3644d5b0c8c40cb572ae994804ef38617840d176380551d

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
434KB

MD5
3646e0eb642868d95ca580108eb815e5

SHA1
356243baf3245b3bb35411225a3be06dc7c72ce2

SHA256
654b8e87b8d3034216bb2d77eb3943f873ab8b7878caa7b368175365ae219484

SHA512
e81e837f54b279ad46e55dcbe9d0ddfe6e3ad0708a01c808b2453c2cf710c6dec1cbec61d85dbc1be71fc1d60370d066abc7abb53e9c1d02bf3a38ffd29f50a9

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
434KB

MD5
7c757c2e6459f883dd67f4046a048eb4

SHA1
3ec2ec7bd701e26912b82d9e398aae00fc0d0790

SHA256
0f315f5dabff130b5a8aedb3e92a649faa8d8345b2f57e773438282676f0286c

SHA512
7173a2d3d7f9f11c025f09394b9f9d54ca96d75e33da9a05851f33881c0506a18a2e34e43b02ec6955d845b7deb9ebe0570c98ae12ba72cf0682a6fbf9b480a9

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
434KB

MD5
24bd58ed8205f0c029ae936595928928

SHA1
5e0780e0248fbebf32a88f6bc36b9b34475602aa

SHA256
85ac1351c98f5697c1096606fc7fa515884971ffc32370462bef17e1db225202

SHA512
d7d21c0fbdb11c6eb470346b5cdf390bc3abb0c920fa3b0786abacb8b9bbd12df5dbd1e38b4fcc9dd6cc9968c3e07303365ed8d16d13525f2480a1367a478e24

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
434KB

MD5
806f942e4e2542df67b5e1c81029b8ff

SHA1
b547c2d3eaaacbaae18bc4d7900125315a4009aa

SHA256
854798fcfaa4e5259f58798434ce80f8e7563e2adfac7357e01cd148ccc7a337

SHA512
7670b2163fb36662450b7fded0322deb3906dd208b13e479e1584729d9a97dd5ca0b741c18377a611bf5acaf8965ea2844eb58d91a1c54486c4d28f8d7cacd28

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
434KB

MD5
4802c777672cfb9560ecb0aec7407321

SHA1
b5c055ae506cd1101fa227c674a8346751b62905

SHA256
29c78d72a6b6f87bba00e0b213f5a370415e791c1b7fb43f4ae3b16da18d0a92

SHA512
bc707a23d4fe5561e0091ce8518c1540933c1e422a973c699bdbe33597509747b6efed6c64244834401b3e31f6c37b47e1b42b0ad569829c215ce88e8da96289

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
434KB

MD5
b9ff774bdc53e3e2e6b2bc547ebbee38

SHA1
c126694cabdf4bf2e00df38ec4b4ddea0b31c8a2

SHA256
e6213e793f8a39650bc231c51014055129a3602303fed66f4e84261f3b29d305

SHA512
2c4e77e31b940b72a0f8fb5e238fe5a197a0e4cc00c6d0e05acab82678ab0706b73d084b82850e9202d70c5a0304007ae0125b77a41a562177a7b8b6336dc94c

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
434KB

MD5
b4ed4cac230233ab31b3331abe460342

SHA1
ffae16f5bc4e905f8e0749dd09a6c0d5cf54b7c7

SHA256
5027f11976145ce0a873f12870cb427ddf49cbcb9eb538882beb6b66b97129b4

SHA512
e60f67ee13afaaeaf4e0b2891f8f0db5239102b0c567302b1a30eca21becae8f68b2eefd5f1b9b32ff0ffa16750cf44b79c02ad54423d056eaf9fa544acc310f

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
434KB

MD5
456689cd5662092ecd7b40e471fa20ae

SHA1
ce404185383e071c0907396d3094ca64071747e5

SHA256
44584c5ecd01964c4fa7e663fce2480800d34036bac5873f4d189bcbd78e74fa

SHA512
047078e6a86652cc8e026b9c828edf81ac1ecfdd27ea8a48ec38016af827c47fdca2259225b06f085692627b8c0211dc996fd8f6ef88fba36a167923759ec574

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
434KB

MD5
561569da07cf5367256c5270ff99b0ec

SHA1
a156798928ba419b4fd7b74f0e5e1a0e1cff60cb

SHA256
53a0f06816a0ecf0e3939816aff5df1e97e8719d912037d8f78b3949a85613ba

SHA512
089e6bf627c40a886f4b131fd9c93a33f9c5a048ed17822bec4a4331d2f1491562091b56da4445e75967894ac9f27f699fa5b26e417994123c9944affb01e897

Download Submit
C:\Windows\SysWOW64\Ojdngl32.dll

Filesize
7KB

MD5
668eba62c242310ff9ada5552808aaf3

SHA1
42af3e7a8152d89ff535df991a3df57420314c0d

SHA256
765d2f0ded8204a1e721e562d6fd902a4dc8bc7c0172966788d973cbc2218716

SHA512
ca6ba37c32588d4d34531cc03b21ad1222e1c091e42e8bb519bb556d54b5fea0d35f75a306996878815b9e0db0845f9a82e3381ce106f25acfbecb7be330f6ac

Download Submit
\Windows\SysWOW64\Affhncfc.exe

Filesize
434KB

MD5
27d22a346806412230e5a07df8c9f46e

SHA1
fa60e01809db62f9db53c593eb245dd74ca16356

SHA256
aed432c5061fd196b242ac7edc464d6e6edc3345da8b6663b2dedaeff3825c0a

SHA512
4b3ba1ec15f125160f50184fef0111d239181af06c6cb63dbd4c4bf106ab9532cdc1da1e10667853af2158652ef6ea6b1ca2c73a0fdd42e131b9815e43b46eb1

Download Submit
\Windows\SysWOW64\Aoffmd32.exe

Filesize
434KB

MD5
cf4428e4641c7108e60d79eab841fbc0

SHA1
8027e91a5767349474fe83ddcc6c35b9640be3d1

SHA256
f8e56877a8c8943f80b4625f710a280ecb1eb2989b373904681a92cc147633c3

SHA512
ed0f1e379a9c9c6a87662eca43a320b5eb7a03b2213af2a436e5e2d96f4dc55bb068050c9f354c895a6174c0f0ba01e2c85b1298d836fea157eeffb4f0205a50

Download Submit
\Windows\SysWOW64\Bbflib32.exe

Filesize
434KB

MD5
40c7d1a7e117c26688ccd4e456451f71

SHA1
ec8543586bdadbca4a84706f1299e346bf5c8d02

SHA256
af21dbc0e07025578dd3cec9c5ddc9b97a474664a3d1b73b915f022573d4be8a

SHA512
704495b3ea26778caf1f5d0e9b8418b1e54759ef7cb821ef522f15ad823103b4acf7094a7738cbf4e6c4c4c31585ab05ac277be2c883c9b8662ca957c68ae6a3

Download Submit
\Windows\SysWOW64\Bloqah32.exe

Filesize
434KB

MD5
af387f728da2b450d8aa7b69e6643d0d

SHA1
e884a9ac9bf16a3e5f585191fafe12c037b80de6

SHA256
51d6e839c197cb9cb70ffb646e9635e23d7fb5cdfa01ec4dc5270512f62ffdec

SHA512
d74a024cadd9db362e330ba2b022fa67f25e16eb68bd9cfe5a89f12be8a789e5cb5a6dcc84d436740af49d9939ca6121abdcbe6cc6c0b583bc2e6c4ff7f4fd3e

Download Submit
\Windows\SysWOW64\Cbkeib32.exe

Filesize
434KB

MD5
21b5e0b490cdb90518e63257fef54fc7

SHA1
cf46508dfcf55763677fb24344150bd3fe7e525a

SHA256
5bd22df600fd30a772356b354d2f6cf2e6f432ea96fd6ae9dccb281aff651aaa

SHA512
ae876e947e306c81156f5191f6b84f5f1aa9d6fe6b4bcac6200fef09810f9d509cf74cf48ba031266e4a2dd77c770c2152e01566294fbae1c97088888af78833

Download Submit
\Windows\SysWOW64\Ckffgg32.exe

Filesize
434KB

MD5
4d7b8ee8da0315d2871cc5572de8c48b

SHA1
db3a5c206da0f9ad18054afc6fb7c4a3c4ee93f0

SHA256
d9c57096e619e53d61f6472c05127c0645c4fc8bf7465a7681e723d18a6b3968

SHA512
9c9510d711e5fc9b550d514f3220f8c36114cbd9182a347561b0322478d2f10351bb2302af82e4e976e28f95c35f05e5a29049a32688b46caf4d7339cd31b3b7

Download Submit
\Windows\SysWOW64\Cljcelan.exe

Filesize
434KB

MD5
3fd67b497d18478fb0eb61022266237d

SHA1
721db66d6d829e4fb2ffea57a79f365bb8116838

SHA256
7dd56e1db8deab0ed4e8d2589ae80ecaa7ff30be04f1947015d1dd2cccc5f5ce

SHA512
4361e8f7e3da555caea8e9d02f8be2612a7d86a60e7bf55eca011da866a425a46167efd591018210b8dd1ae5aedca30cd577fccfc7601fede4e00b91bc21bffe

Download Submit
\Windows\SysWOW64\Cphlljge.exe

Filesize
434KB

MD5
1073eb60b33eb98651fba60c967ad75f

SHA1
85a472b4fb6b349f3eb49033321353c080be8ba0

SHA256
cd3c516e93a9c33b6002bf8e0026c23d11fd4c44056785fd12d39610504172ac

SHA512
521e397a19c31075bad8bd926edfb66a2becb9e36d3cb46ef36f02199c29b2688dcc2a1b2475df77177a2abf83431bef63cba9c96d978fad0698c8a252e78ad2

Download Submit
\Windows\SysWOW64\Cpjiajeb.exe

Filesize
434KB

MD5
1afdf9aa60fc0b33203528d71798948e

SHA1
20c73f35b67e9d96513e976903128f756def2684

SHA256
498804661629dc7d896d8c8d90c2d0c841a73eb8feedcb3b327f50e6b3ad2233

SHA512
48a47599d7bac7fe95eaf7e91f86f89a20c0dbf589ac6c8839105062919d2b74ba67b0b0a8a43735271537524c459e63b4b4338fcc1b5c455afce4cafb369e66

Download Submit
memory/592-300-0x00000000002E0000-0x0000000000364000-memory.dmp

Filesize
528KB

Download
memory/592-301-0x00000000002E0000-0x0000000000364000-memory.dmp

Filesize
528KB

Download
memory/592-291-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/632-162-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/632-157-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/632-154-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/784-262-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/784-268-0x0000000000260000-0x00000000002E4000-memory.dmp

Filesize
528KB

Download
memory/784-267-0x0000000000260000-0x00000000002E4000-memory.dmp

Filesize
528KB

Download
memory/812-397-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/812-379-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/812-396-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/1428-239-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1428-245-0x0000000000510000-0x0000000000594000-memory.dmp

Filesize
528KB

Download
memory/1428-246-0x0000000000510000-0x0000000000594000-memory.dmp

Filesize
528KB

Download
memory/1484-224-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1484-235-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/1484-234-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/1680-350-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1680-355-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/1680-356-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/1720-345-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/1720-335-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-344-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/1748-25-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/1748-13-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1756-192-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/1756-184-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1756-191-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/2016-165-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2016-182-0x0000000000360000-0x00000000003E4000-memory.dmp

Filesize
528KB

Download
memory/2016-172-0x0000000000360000-0x00000000003E4000-memory.dmp

Filesize
528KB

Download
memory/2036-275-0x00000000002F0000-0x0000000000374000-memory.dmp

Filesize
528KB

Download
memory/2036-269-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2036-279-0x00000000002F0000-0x0000000000374000-memory.dmp

Filesize
528KB

Download
memory/2068-6-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/2068-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2080-444-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/2080-438-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2080-443-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/2168-455-0x00000000002E0000-0x0000000000364000-memory.dmp

Filesize
528KB

Download
memory/2168-454-0x00000000002E0000-0x0000000000364000-memory.dmp

Filesize
528KB

Download
memory/2168-449-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2224-333-0x0000000000320000-0x00000000003A4000-memory.dmp

Filesize
528KB

Download
memory/2224-328-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2224-334-0x0000000000320000-0x00000000003A4000-memory.dmp

Filesize
528KB

Download
memory/2280-223-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2280-214-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2280-222-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2320-149-0x00000000002E0000-0x0000000000364000-memory.dmp

Filesize
528KB

Download
memory/2320-134-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2320-147-0x00000000002E0000-0x0000000000364000-memory.dmp

Filesize
528KB

Download
memory/2340-40-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2420-442-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/2420-423-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2420-435-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/2424-290-0x00000000002D0000-0x0000000000354000-memory.dmp

Filesize
528KB

Download
memory/2424-289-0x00000000002D0000-0x0000000000354000-memory.dmp

Filesize
528KB

Download
memory/2424-280-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2440-312-0x0000000002090000-0x0000000002114000-memory.dmp

Filesize
528KB

Download
memory/2440-302-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2440-311-0x0000000002090000-0x0000000002114000-memory.dmp

Filesize
528KB

Download
memory/2464-212-0x0000000000370000-0x00000000003F4000-memory.dmp

Filesize
528KB

Download
memory/2464-195-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2464-207-0x0000000000370000-0x00000000003F4000-memory.dmp

Filesize
528KB

Download
memory/2484-132-0x00000000020C0000-0x0000000002144000-memory.dmp

Filesize
528KB

Download
memory/2484-133-0x00000000020C0000-0x0000000002144000-memory.dmp

Filesize
528KB

Download
memory/2484-119-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2592-105-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2592-117-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2632-416-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2632-421-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2632-422-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2652-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2672-405-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2672-398-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2672-399-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2700-374-0x0000000002050000-0x00000000020D4000-memory.dmp

Filesize
528KB

Download
memory/2700-378-0x0000000002050000-0x00000000020D4000-memory.dmp

Filesize
528KB

Download
memory/2700-371-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2704-79-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2724-53-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2832-411-0x0000000000350000-0x00000000003D4000-memory.dmp

Filesize
528KB

Download
memory/2832-409-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2832-410-0x0000000000350000-0x00000000003D4000-memory.dmp

Filesize
528KB

Download
memory/2884-247-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2884-260-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/2884-253-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/2896-370-0x0000000000350000-0x00000000003D4000-memory.dmp

Filesize
528KB

Download
memory/2896-357-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2896-369-0x0000000000350000-0x00000000003D4000-memory.dmp

Filesize
528KB

Download
memory/2912-27-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2980-322-0x0000000000370000-0x00000000003F4000-memory.dmp

Filesize
528KB

Download
memory/2980-323-0x0000000000370000-0x00000000003F4000-memory.dmp

Filesize
528KB

Download
memory/2980-313-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3004-92-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads