7c502b023a6bef19789514df1ed9d3f19ae0ccd86d2b335fcb8b9925d23299d2

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
Size

121KB
MD5

2adfe696f1e86870e7c5929759a75e30
SHA1

327f8edbeaff780b0759d77c8846d610551c1411
SHA256

7c502b023a6bef19789514df1ed9d3f19ae0ccd86d2b335fcb8b9925d23299d2
SHA512

3bdfb4ae8760625bf1ed87dc5c840ece5f7a6bd37a762e8da7759abd2fce8219befee5aac2112ada561a5f0285a7aba8fb84bc083122cf1753fd0e0aabfe4cae
SSDEEP

1536:vE05aKq3MQ+0nsrUGdXF+1FNexi8SMLrMuuLB+gTQ0m9uCV19zQYOd5ijJnD5irU:vDEVnecTexnxLrALB+gTKtO7AJnD5tvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnneja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnilobkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbpodagk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnneja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqelenlc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbpodagk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqhhknjp.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/memory/2952-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000b0000000122ec-5.dat	family_berbew
behavioral1/memory/2952-6-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015c7f-18.dat	family_berbew
behavioral1/memory/3068-26-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015cb8-32.dat	family_berbew
behavioral1/memory/3068-34-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x0009000000015ccf-51.dat	family_berbew
behavioral1/memory/2532-52-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016103-58.dat	family_berbew
behavioral1/memory/2924-65-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016310-71.dat	family_berbew
behavioral1/memory/2580-78-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x00060000000165a8-84.dat	family_berbew
behavioral1/memory/2580-91-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/memory/3040-99-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000600000001686d-97.dat	family_berbew
behavioral1/memory/468-106-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016c56-112.dat	family_berbew
behavioral1/memory/2912-119-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016c7a-125.dat	family_berbew
behavioral1/memory/2912-131-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016ce7-138.dat	family_berbew
behavioral1/memory/1468-144-0x0000000000450000-0x0000000000497000-memory.dmp	family_berbew
behavioral1/memory/1928-146-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d2c-152.dat	family_berbew
behavioral1/memory/1952-159-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d3d-165.dat	family_berbew
behavioral1/memory/1952-171-0x0000000000350000-0x0000000000397000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d4e-178.dat	family_berbew
behavioral1/memory/1428-185-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d65-191.dat	family_berbew
behavioral1/memory/1064-209-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1076-211-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d71-210.dat	family_berbew
behavioral1/memory/1076-217-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x0032000000015678-219.dat	family_berbew
behavioral1/memory/1620-223-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016de7-229.dat	family_berbew
behavioral1/memory/2352-238-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2352-243-0x0000000000300000-0x0000000000347000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017042-240.dat	family_berbew
behavioral1/memory/1672-245-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017486-253.dat	family_berbew
behavioral1/memory/1256-256-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000018663-262.dat	family_berbew
behavioral1/memory/2160-271-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2432-278-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x001100000001867a-273.dat	family_berbew
behavioral1/memory/2432-284-0x0000000000380000-0x00000000003C7000-memory.dmp	family_berbew
behavioral1/files/0x00050000000186e6-287.dat	family_berbew
behavioral1/files/0x00050000000186ff-295.dat	family_berbew
behavioral1/memory/572-293-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2480-300-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000500000001873f-306.dat	family_berbew
behavioral1/memory/2480-309-0x00000000002B0000-0x00000000002F7000-memory.dmp	family_berbew
behavioral1/memory/2136-311-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000500000001878d-318.dat	family_berbew
behavioral1/memory/2944-322-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0005000000019228-329.dat	family_berbew
behavioral1/memory/2704-333-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000500000001925d-339.dat	family_berbew
behavioral1/memory/2296-344-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0005000000019275-350.dat	family_berbew

Executes dropped EXE 62 IoCs

pid	Process
2172	Dbpodagk.exe
3068	Dkhcmgnl.exe
2744	Dqelenlc.exe
2532	Ddagfm32.exe
2924	Dnilobkm.exe
2580	Dqhhknjp.exe
3040	Dkmmhf32.exe
468	Dnlidb32.exe
2912	Dchali32.exe
1468	Dnneja32.exe
1928	Dgfjbgmh.exe
1952	Eqonkmdh.exe
1912	Ejgcdb32.exe
1428	Epdkli32.exe
1064	Efncicpm.exe
1076	Emhlfmgj.exe
1620	Eecqjpee.exe
2352	Elmigj32.exe
1672	Eajaoq32.exe
1256	Egdilkbf.exe
2160	Fehjeo32.exe
2432	Fckjalhj.exe
572	Fejgko32.exe
2480	Ffkcbgek.exe
2136	Fhkpmjln.exe
2944	Facdeo32.exe
2704	Fdapak32.exe
2296	Fioija32.exe
2960	Fbgmbg32.exe
2796	Ffbicfoc.exe
2528	Feeiob32.exe
3044	Gbijhg32.exe
2556	Gpmjak32.exe
2708	Gangic32.exe
2920	Ghhofmql.exe
2416	Gobgcg32.exe
2756	Ghkllmoi.exe
2824	Goddhg32.exe
1524	Gdamqndn.exe
2124	Gkkemh32.exe
2040	Gmjaic32.exe
2752	Hahjpbad.exe
1992	Hdfflm32.exe
2492	Hkpnhgge.exe
2008	Hnojdcfi.exe
1612	Hlakpp32.exe
2288	Hckcmjep.exe
1768	Hiekid32.exe
1136	Hnagjbdf.exe
1784	Hobcak32.exe
1704	Hellne32.exe
2284	Hlfdkoin.exe
2340	Hodpgjha.exe
2632	Henidd32.exe
2684	Hjjddchg.exe
2660	Hlhaqogk.exe
2864	Hogmmjfo.exe
1360	Iaeiieeb.exe
2948	Idceea32.exe
1740	Ilknfn32.exe
1700	Inljnfkg.exe
1820	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2952	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
2952	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
2172	Dbpodagk.exe
2172	Dbpodagk.exe
3068	Dkhcmgnl.exe
3068	Dkhcmgnl.exe
2744	Dqelenlc.exe
2744	Dqelenlc.exe
2532	Ddagfm32.exe
2532	Ddagfm32.exe
2924	Dnilobkm.exe
2924	Dnilobkm.exe
2580	Dqhhknjp.exe
2580	Dqhhknjp.exe
3040	Dkmmhf32.exe
3040	Dkmmhf32.exe
468	Dnlidb32.exe
468	Dnlidb32.exe
2912	Dchali32.exe
2912	Dchali32.exe
1468	Dnneja32.exe
1468	Dnneja32.exe
1928	Dgfjbgmh.exe
1928	Dgfjbgmh.exe
1952	Eqonkmdh.exe
1952	Eqonkmdh.exe
1912	Ejgcdb32.exe
1912	Ejgcdb32.exe
1428	Epdkli32.exe
1428	Epdkli32.exe
1064	Efncicpm.exe
1064	Efncicpm.exe
1076	Emhlfmgj.exe
1076	Emhlfmgj.exe
1620	Eecqjpee.exe
1620	Eecqjpee.exe
2352	Elmigj32.exe
2352	Elmigj32.exe
1672	Eajaoq32.exe
1672	Eajaoq32.exe
1256	Egdilkbf.exe
1256	Egdilkbf.exe
2160	Fehjeo32.exe
2160	Fehjeo32.exe
2432	Fckjalhj.exe
2432	Fckjalhj.exe
572	Fejgko32.exe
572	Fejgko32.exe
2480	Ffkcbgek.exe
2480	Ffkcbgek.exe
2136	Fhkpmjln.exe
2136	Fhkpmjln.exe
2944	Facdeo32.exe
2944	Facdeo32.exe
2704	Fdapak32.exe
2704	Fdapak32.exe
2296	Fioija32.exe
2296	Fioija32.exe
2960	Fbgmbg32.exe
2960	Fbgmbg32.exe
2796	Ffbicfoc.exe
2796	Ffbicfoc.exe
2528	Feeiob32.exe
2528	Feeiob32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njqaac32.dll	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Egdilkbf.exe	Eajaoq32.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Ddagfm32.exe	Dqelenlc.exe
File created	C:\Windows\SysWOW64\Nobdlg32.dll	Dnlidb32.exe
File opened for modification	C:\Windows\SysWOW64\Dnneja32.exe	Dchali32.exe
File created	C:\Windows\SysWOW64\Midahn32.dll	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Dqelenlc.exe	Dkhcmgnl.exe
File opened for modification	C:\Windows\SysWOW64\Dnlidb32.exe	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Cfeoofge.dll	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Fckjalhj.exe	Fehjeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Mdeced32.dll	Ddagfm32.exe
File created	C:\Windows\SysWOW64\Eqonkmdh.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Jiiegafd.dll	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Dbpodagk.exe	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dnlidb32.exe	Dkmmhf32.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Inljnfkg.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Dbpodagk.exe	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dqhhknjp.exe	Dnilobkm.exe
File created	C:\Windows\SysWOW64\Efjcibje.dll	Elmigj32.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	Efncicpm.exe
File created	C:\Windows\SysWOW64\Nopodm32.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Gbijhg32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkhcmgnl.exe	Dbpodagk.exe
File created	C:\Windows\SysWOW64\Dchali32.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dnneja32.exe
File created	C:\Windows\SysWOW64\Kdanej32.dll	Fejgko32.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Ejgcdb32.exe	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Epdkli32.exe	Ejgcdb32.exe
File opened for modification	C:\Windows\SysWOW64\Egdilkbf.exe	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Fglhobmg.dll	Dkhcmgnl.exe
File created	C:\Windows\SysWOW64\Emhlfmgj.exe	Efncicpm.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fioija32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fhkpmjln.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	1820	WerFault.exe	89

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkhcmgnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll"	Dnilobkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqhhknjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fioija32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll"	Dqhhknjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll"	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll"	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fejgko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbpodagk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	Efncicpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll"	Gpmjak32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2172	2952	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 2172	2952	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 2172	2952	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 2172	2952	2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 3068	2172	Dbpodagk.exe	29
PID 2172 wrote to memory of 3068	2172	Dbpodagk.exe	29
PID 2172 wrote to memory of 3068	2172	Dbpodagk.exe	29
PID 2172 wrote to memory of 3068	2172	Dbpodagk.exe	29
PID 3068 wrote to memory of 2744	3068	Dkhcmgnl.exe	30
PID 3068 wrote to memory of 2744	3068	Dkhcmgnl.exe	30
PID 3068 wrote to memory of 2744	3068	Dkhcmgnl.exe	30
PID 3068 wrote to memory of 2744	3068	Dkhcmgnl.exe	30
PID 2744 wrote to memory of 2532	2744	Dqelenlc.exe	31
PID 2744 wrote to memory of 2532	2744	Dqelenlc.exe	31
PID 2744 wrote to memory of 2532	2744	Dqelenlc.exe	31
PID 2744 wrote to memory of 2532	2744	Dqelenlc.exe	31
PID 2532 wrote to memory of 2924	2532	Ddagfm32.exe	32
PID 2532 wrote to memory of 2924	2532	Ddagfm32.exe	32
PID 2532 wrote to memory of 2924	2532	Ddagfm32.exe	32
PID 2532 wrote to memory of 2924	2532	Ddagfm32.exe	32
PID 2924 wrote to memory of 2580	2924	Dnilobkm.exe	33
PID 2924 wrote to memory of 2580	2924	Dnilobkm.exe	33
PID 2924 wrote to memory of 2580	2924	Dnilobkm.exe	33
PID 2924 wrote to memory of 2580	2924	Dnilobkm.exe	33
PID 2580 wrote to memory of 3040	2580	Dqhhknjp.exe	34
PID 2580 wrote to memory of 3040	2580	Dqhhknjp.exe	34
PID 2580 wrote to memory of 3040	2580	Dqhhknjp.exe	34
PID 2580 wrote to memory of 3040	2580	Dqhhknjp.exe	34
PID 3040 wrote to memory of 468	3040	Dkmmhf32.exe	35
PID 3040 wrote to memory of 468	3040	Dkmmhf32.exe	35
PID 3040 wrote to memory of 468	3040	Dkmmhf32.exe	35
PID 3040 wrote to memory of 468	3040	Dkmmhf32.exe	35
PID 468 wrote to memory of 2912	468	Dnlidb32.exe	36
PID 468 wrote to memory of 2912	468	Dnlidb32.exe	36
PID 468 wrote to memory of 2912	468	Dnlidb32.exe	36
PID 468 wrote to memory of 2912	468	Dnlidb32.exe	36
PID 2912 wrote to memory of 1468	2912	Dchali32.exe	37
PID 2912 wrote to memory of 1468	2912	Dchali32.exe	37
PID 2912 wrote to memory of 1468	2912	Dchali32.exe	37
PID 2912 wrote to memory of 1468	2912	Dchali32.exe	37
PID 1468 wrote to memory of 1928	1468	Dnneja32.exe	38
PID 1468 wrote to memory of 1928	1468	Dnneja32.exe	38
PID 1468 wrote to memory of 1928	1468	Dnneja32.exe	38
PID 1468 wrote to memory of 1928	1468	Dnneja32.exe	38
PID 1928 wrote to memory of 1952	1928	Dgfjbgmh.exe	39
PID 1928 wrote to memory of 1952	1928	Dgfjbgmh.exe	39
PID 1928 wrote to memory of 1952	1928	Dgfjbgmh.exe	39
PID 1928 wrote to memory of 1952	1928	Dgfjbgmh.exe	39
PID 1952 wrote to memory of 1912	1952	Eqonkmdh.exe	40
PID 1952 wrote to memory of 1912	1952	Eqonkmdh.exe	40
PID 1952 wrote to memory of 1912	1952	Eqonkmdh.exe	40
PID 1952 wrote to memory of 1912	1952	Eqonkmdh.exe	40
PID 1912 wrote to memory of 1428	1912	Ejgcdb32.exe	41
PID 1912 wrote to memory of 1428	1912	Ejgcdb32.exe	41
PID 1912 wrote to memory of 1428	1912	Ejgcdb32.exe	41
PID 1912 wrote to memory of 1428	1912	Ejgcdb32.exe	41
PID 1428 wrote to memory of 1064	1428	Epdkli32.exe	42
PID 1428 wrote to memory of 1064	1428	Epdkli32.exe	42
PID 1428 wrote to memory of 1064	1428	Epdkli32.exe	42
PID 1428 wrote to memory of 1064	1428	Epdkli32.exe	42
PID 1064 wrote to memory of 1076	1064	Efncicpm.exe	43
PID 1064 wrote to memory of 1076	1064	Efncicpm.exe	43
PID 1064 wrote to memory of 1076	1064	Efncicpm.exe	43
PID 1064 wrote to memory of 1076	1064	Efncicpm.exe	43

C:\Users\Admin\AppData\Local\Temp\2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2adfe696f1e86870e7c5929759a75e30_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\Dbpodagk.exe
  C:\Windows\system32\Dbpodagk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Dkhcmgnl.exe
    C:\Windows\system32\Dkhcmgnl.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Dqelenlc.exe
      C:\Windows\system32\Dqelenlc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Ddagfm32.exe
        
        C:\Windows\system32\Ddagfm32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\Dnilobkm.exe
        
        C:\Windows\system32\Dnilobkm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dqhhknjp.exe
        
        C:\Windows\system32\Dqhhknjp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Dkmmhf32.exe
        
        C:\Windows\system32\Dkmmhf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Dnlidb32.exe
        
        C:\Windows\system32\Dnlidb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Dchali32.exe
        
        C:\Windows\system32\Dchali32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Dnneja32.exe
        
        C:\Windows\system32\Dnneja32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Dgfjbgmh.exe
        
        C:\Windows\system32\Dgfjbgmh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Eqonkmdh.exe
        
        C:\Windows\system32\Eqonkmdh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ejgcdb32.exe
        
        C:\Windows\system32\Ejgcdb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Epdkli32.exe
        
        C:\Windows\system32\Epdkli32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Efncicpm.exe
        
        C:\Windows\system32\Efncicpm.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Emhlfmgj.exe
        
        C:\Windows\system32\Emhlfmgj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Eecqjpee.exe
        
        C:\Windows\system32\Eecqjpee.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1620
        
        C:\Windows\SysWOW64\Elmigj32.exe
        
        C:\Windows\system32\Elmigj32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Eajaoq32.exe
        
        C:\Windows\system32\Eajaoq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Egdilkbf.exe
        
        C:\Windows\system32\Egdilkbf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1256
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Fckjalhj.exe
        
        C:\Windows\system32\Fckjalhj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2432
        
        C:\Windows\SysWOW64\Fejgko32.exe
        
        C:\Windows\system32\Fejgko32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Ffkcbgek.exe
        
        C:\Windows\system32\Ffkcbgek.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        33⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Inljnfkg.exe
        
        C:\Windows\system32\Inljnfkg.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        63⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 140
        64⤵
        Program crash
        
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddagfm32.exe

Filesize
121KB

MD5
61f45773b5593583c7cab956464b3d6c

SHA1
6d5e3adce243626c5e04219dabc719a1889f5bb4

SHA256
456a1e2f27c6168c90ccb5663d31a83482cb246465c17def9eb39edd70fdecec

SHA512
9393bfd9d206fa86784fbf00d90fdefcdba1f1393ab3f7d5a7473fc2fbafe87c2c4d3d2708e12e15b5305b822134e0a35c90a53e3d258dc7c9623b87f01cc8d7

Download Submit
C:\Windows\SysWOW64\Eajaoq32.exe

Filesize
121KB

MD5
c4e152343f5cbe28056c6888f2f43bd1

SHA1
702b769fd63968b667b0ede2579a81775b2cbc97

SHA256
027ed84a0a475c5756e413e125c7ffc96a5cffa498935efb4b729949ca789d6c

SHA512
df14d38f1acbb476a474eabca6356fd72b1015b2b93f0b3d2e56c4f09e0dbe3bb585c514cc8d6293ede1ed065cb0459842f950c2ac572bee73f94d62f7165d93

Download Submit
C:\Windows\SysWOW64\Eecqjpee.exe

Filesize
121KB

MD5
506589673c991ec1a2f6bbdbf864318f

SHA1
1bb1f5ed292a1eae6da11a4f3191ced5ac2ee5c3

SHA256
54687b248b79cdd0be8e6e0bf0683e69fbc54af51e6da0e215364537fcaf5929

SHA512
b0278071af38eb4d1349791eb3b51175fd42d4160b3adeaf04bd068c66b397278623825cd4034dcb49359228fc2892b71a247fe6eb3d0a57069971682e1a7411

Download Submit
C:\Windows\SysWOW64\Egdilkbf.exe

Filesize
121KB

MD5
a2fc18c8c4e8d9acc07a0b30e8bd1717

SHA1
4f14602de23725a974aa405530a6fc740d3bb26d

SHA256
0ced9245c9393fae4991080f3156dd0bf3f2ec2eac99cb2d1ef7263b64eff460

SHA512
426f3a820bb6a0cc771898279c7e408cbd72e1956a4a57c03e77d7f22fcafeccd7c473fb780a6d9a0c41e1cdff1233994270083293b610920344a95af6a081c9

Download Submit
C:\Windows\SysWOW64\Elmigj32.exe

Filesize
121KB

MD5
5a39775b1d28bf51e073c6e557bb7f7a

SHA1
4bd6202fbb4ef28aace842234fea239ba32fd39e

SHA256
4ea8849e1303b5c2b82b4f7cdb4e48c0ed66bf23c21e27bafe2d4e6bf392dc42

SHA512
9d21c0412f46226f8fb62e89f48463b40b6afc4ab611895b8857a5781848f6241bc5930ee6ee22d71e37099a6957b03a301fbe4042073a28ad83c9f682766393

Download Submit
C:\Windows\SysWOW64\Emhlfmgj.exe

Filesize
121KB

MD5
46680c6345b3e13d75eff5eb0b57b45e

SHA1
61d9815511a0d019b80f2793207641ff0e0e6f24

SHA256
740287aba63b1d3e170474607879c19722e6e50d6380311ec2871ad26396c681

SHA512
f82aafdbcf27282ab7be0b1f8843ff82a7084983f7afb43a57310ca73416682398abe7d63ca6224595c059af71a347fe309a734011e71f89859d729914927361

Download Submit
C:\Windows\SysWOW64\Facdeo32.exe

Filesize
121KB

MD5
1b29ce8837442a2a7920fe47d3324b2c

SHA1
2f1e8e6d5d32b44fbaa62a49137c1ba7b85ed85f

SHA256
dc7225022136bc10fc06567db8e5c1d753de34f52b8d6ced0557a0b9233e3aac

SHA512
b5bef46dcfaeddd93a7683af6adcd6cccb2665f9c880b8fc30af1194e1b593e1536c510d4595d2be1889cced44ba1dd94c880c7f2cb911b6a4c084fbd1c32c3e

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
121KB

MD5
db2c05f0bfcd79a874653f21cbd7fe7f

SHA1
8a8d647c01f4f045c60cc00c655b29b86813eefe

SHA256
b37c9a9fa31b84e6f765f1e05890b90d819865362d0af7560741918d44e81161

SHA512
7e3eae696c7b3a9e974162d5494dd0dc408ec3020e99e01939c4e3efbb72f67bffcdd8ddb0a05bd7d685ab07161c4f6067b92aaa836f78683301b58465285bd2

Download Submit
C:\Windows\SysWOW64\Fckjalhj.exe

Filesize
121KB

MD5
f593b0db54fd77d335409f928871b8ac

SHA1
00ea8d1d154dc6b41ee4fd70888f00202ab81678

SHA256
afe3f9fe25d4f90ad35c4ccc10aafed7e30631d9b60d990b4232acfaeb75003d

SHA512
4f8512318ca3a42d823030b75b70e809b931e4eed066a8a59f7d1ae1d9d79ebaf14c5987ac18a7c56db74bb79400f7ce4dcc1619733dbb8a38eb37a351d6ea4a

Download Submit
C:\Windows\SysWOW64\Fdapak32.exe

Filesize
121KB

MD5
333c5a705e0cb1fab61d7f8bc457cfa4

SHA1
9e8bb7d128b1d1925aab3b1b6df12b26c707c748

SHA256
782c358818730aa5e8a13d704229db1e449e9e64b1e838348539576549cd83d0

SHA512
d3a496817be957e928447bea0334408888b074d8121872d40323791362ae0d84abb9dc4324ee1ff9342afe99e8935ecf02cb4ddd1a4483d434d20e01211d1902

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
121KB

MD5
336c4756b8d0e2261db1f8638bacb604

SHA1
49623556b1b1b511f1fed4088aaef851d4fd3a5b

SHA256
717431e1083a689cc1fa4a2f0109028f274104a249ba39b38f5fd628d6567d20

SHA512
405709aa166593a7acef567702c6659f50aaa64588d38f0a496aecf0745115a7bd83e3202bf132abb7c622b86a531097c903f17fe7bab094d8a31f991c59dccf

Download Submit
C:\Windows\SysWOW64\Fehjeo32.exe

Filesize
121KB

MD5
0d3d91ac365e886d572d86807c571ebb

SHA1
0d424f3b99f17eca1e45efb3b6656d931487e044

SHA256
e0fdb5651f9ee3ce6968899958cc683d4e3bf7caba2fec9ef2cf3acae3474c07

SHA512
506322f8a151ad7749ba92397e32e279d43ce0fd54827061af9aebe3da979f7c1383b2be9b696bdfaad0c6afc16852f80d65d05c248038c44bfb1dcdd433635b

Download Submit
C:\Windows\SysWOW64\Fejgko32.exe

Filesize
121KB

MD5
ea2194efc481a04ba2ed6714a3598274

SHA1
d34fd006eb7f8ee7e783fd7dd3b3c60faa498c38

SHA256
588363044715ed7e3c53756d246d48e83fd22ba003584dec0803394569c64965

SHA512
d9c7315e7521ac69cb9f992efc241c5d8fc64a627c9fc9be375315da911c61df0aa4b3193085651b8c15abd226825ce25340e2fc8b93be5b6b64ae4e15bb5afa

Download Submit
C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
121KB

MD5
5121e503b146716046e6cfbd4b827958

SHA1
4c039c0aed0e978d2f21ea9922842d6a03a47c5f

SHA256
3d2c56983e219d870f7b96a3cbab709d5ecfbc5118658b5ce3fe8786fc7333a6

SHA512
21b46df798c2c18cd8ca648928ee159d296fb0711f5cec2b7c052a18f6cfb2509eacdc73b6d567da65861045b6350b406111f450063c8946c72cf9325e7ea797

Download Submit
C:\Windows\SysWOW64\Ffkcbgek.exe

Filesize
121KB

MD5
bc2a18e0dbca278fca490fe68d1ec8c4

SHA1
5207d8799fd990b383db794af8ef7a1b603134c9

SHA256
06697c11668a94ac23bce2505bcfcc687d872a2137b1b21fc80ebd5acd1994b2

SHA512
2685a3271ca7efa249ee715b0533f9deabe5ed649a7bea8033e8f2af9ea023bc479831d5dcc2070000be8208bb0e10ef7b6f3e96eb39cfc2c310c5b8c988c099

Download Submit
C:\Windows\SysWOW64\Fhkpmjln.exe

Filesize
121KB

MD5
22779e6dab6cb70ee1c78e6899879861

SHA1
bb8390a23e4edd121b97a4439a13d65ac09e856c

SHA256
33016741c6441338b79743dc92bf79ad850aba182e95973528ad158041b16580

SHA512
39453ce3e4f7734de2e2f8629470cd5a3b8f3ebc7fcab628d7d4586cf95e6c488e47ced2aeffa8bbee80accb1139b1774d3042e9da72b7e2ef46608b9e94683d

Download Submit
C:\Windows\SysWOW64\Fioija32.exe

Filesize
121KB

MD5
686859abe8a776941b9dc6995bb5f2b4

SHA1
276aa6cea8f41374501cd0fe60ee7f0fa7c719ca

SHA256
1705251755a85a001423d873aef0f43be5c01105cebb34ae54b287911f663b59

SHA512
ab9a78caf4767efeab57cf10e9b4060039a80507fb236917176bfcf60e36775e5834a711414c436524f7e2f6080ebd7c8fe6b473d03540962c55932fdd1a9cbc

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
121KB

MD5
7292e60322b541c9acd734440488a076

SHA1
f8426584b6cf54c8879d8440e3c1368b039d97ab

SHA256
416a90acdd02515dd29cac395e7f9a1e8e8aff308cc8e4dc1062e1e5ff9af78d

SHA512
89775f99d30cd888d134eaa86f7daf2a88e7c0602cccc0ae7cf142a7521306d0f0325447762526cc8364911c5254877aab5f04693cbdf053f72ee3ba7b5978dd

Download Submit
C:\Windows\SysWOW64\Gbijhg32.exe

Filesize
121KB

MD5
c6761c5f2c3cae24273efbecd0e0585c

SHA1
4baa6d66c52c05282dd8bf63f52cfc7ac2d9e54b

SHA256
e8ce334d5d7462caf1bd158e92e37165319a354f4c4c44972f46f18526d1a7f8

SHA512
cad45a60cd2ae39e931c67b6f947009a700736b0d1cdb6fad12dd28f9f85450410bcb787198ca9db746297ce892c7829b20791f0233af7fbfa90a639b392d345

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
121KB

MD5
ec8f51d31eaef065bc54404e1efb9073

SHA1
80849ddd441a9835b28af6226d1995b15e8b2379

SHA256
922143de66341b0bde40c5c87991fa25cc8cb6945b53f1c4c785db96f918ce88

SHA512
c3772c775fe76372e2f04e46a329748f212ac5b262101355bd14e171d2afa90282bd1465e4e4866e260d6078fc7279c0f35fc82fc766337608fab788feea4a02

Download Submit
C:\Windows\SysWOW64\Ghhofmql.exe

Filesize
121KB

MD5
060127181ffecd5eadb43c52ee5dae9d

SHA1
13f2b630c97749cdfa4ddc5b1ba2bc2a2d95e036

SHA256
2fee5ed84f895f807afa78ccc263c1b646d654ab9e3bb5d64ef622d61583678d

SHA512
b15a8e1912870831762a843049f3ebe248c21f3e50790de6a4f3748b51caa650be1b0939f35147f168284077417d7e0a9d893413607d7629efee9b4b7cce914b

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
121KB

MD5
24473ab6933c3635d7819dd3bdb976f4

SHA1
7786beb8f38331906ec7704bc24e3dc6074a3a3c

SHA256
a368dd53b20b2e82447fdc1b1d6972ce6595ec1eb3c9f0cd3372550121468448

SHA512
dd866f3925dcfb929dbde7c87ac9aefd2148b852da0a8868395109bdf3b56941f4d763dbc29ba35ac706b6ade6427a181e85d171b17bcf02ce8801160cfc8a28

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
121KB

MD5
e8048635467eef6f6a0a5eba677d28a1

SHA1
c2cb455548a2d8ab9a604f69034dd53102cdea39

SHA256
fe9caa4bd03f6bdf43596c19eff982f7865a98fbafdf856fbad16658b5ce2ce8

SHA512
9bba0017e09fee2d90b3087d760ed20360633acbb1524a1be8d383b3e24500e0bb30422f4201e259df00bb866fb4c378f705cc60bf4d54e46c4d3dd1663813cf

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
121KB

MD5
9e5f43a3df018483abc60f096a7d3625

SHA1
7cbc2924407169fa730fc72c3fa65a73d8b00c04

SHA256
faefb70a1f84a444351c626148e7b5d8e46b2941eb821632e900053ef82dbb49

SHA512
de058bc958c4a1a24319bb033189ad14064ba2b025ec91614dfec0e002d3b6a19ca10ff35b5f7ee3c95cda8ec3140f5c70f174a242f471fcdb080d44ad6c8119

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
121KB

MD5
3cf1d420fa5e2a01573ed24a41a8d687

SHA1
01e1d6044298306229e587ed7f8a2a9937d0913f

SHA256
e1d97032b6019b9b1b55c045fc8c51138cb7337645424df969790f86d4acc668

SHA512
c9166d294b81642dcf1c855fb7cbc6bb719cc1e741770956302bf2069c2ced2a0a884c2aa2a642fd30b8ac4dfeea6565d7850ba3acba49996eb5a88cbe4af4d8

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
121KB

MD5
60e7ff4c784bccd7a65e177367e68b30

SHA1
94d828a64e8ba442dbf8107b1d087bce9edc9465

SHA256
0a6c15a325edbc2cfc607c054efac43b7e1fa5147fdc6939c8044a83bbc70e09

SHA512
6492fa348c92b4ceb639af40b369b7bcd5bf8484523a3008c196c00b446b9fe54a6556e0c4ce8b07f77b331b78941d50e54b0aceb9a6eaea4a8b440e6d30ffda

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
121KB

MD5
f514b41f7e1f09a191ec6cf91df21ac9

SHA1
0216d1f1c41194f99b5ca92c02ffa9e8aca46733

SHA256
63cc9cf037204eeaec603842130da30609ce6bac14eea33e17bd06247491753a

SHA512
4ac3b6c5f733e30ad2960c6b69d823779cc55d5cb928fc5f1aad47b94221c473f9d5b799caad8bf696ec17d2e49fc827532e8268ae35e7edf50236e142256068

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
121KB

MD5
b4b4b41eec26adcc0c4611e3481a81ee

SHA1
0ccfe9edaef93f8bc1502038e8ac70fdc8ec50a9

SHA256
fb694f35d960a2baf29ca725166e2fc97482c34fd641f389e452ce6d51f2fb3b

SHA512
6e58fb326e56d4c1d5de41e0ab85841eb3eef6312ca85d84b94ea1b0b594462fca6848ca5d514605743bca4068e07d499a0d2bbc8a0e387ce2929add4645dfdb

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
121KB

MD5
2d6afdb4583a9981fcbc668480b6900f

SHA1
7e45ecf31f50d4c764f7b35e236c677a04cd8bbd

SHA256
d859e5f139641cc4d1cbff0a0c55d8d42ab2663f9c6e500dfe2ac7fef16c9542

SHA512
f69a3de3fd2d1f3b863059f7c45f3102e9387083f1b2e1234a791935f1901b6f954ba9fe432a934cc1d6a2f9f261db1417f0a90fe44fabafe35529385d1a86e3

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
121KB

MD5
a6069a01bfaa58cb921f559a4a4f4441

SHA1
dca1fff2a7c2c7b7e8a367c1dbdaa12d7243618b

SHA256
cdadb63f5e367926a5ae95be3f1b7609a2b3f01d52e5b673b00d4bd630ebdb16

SHA512
6675544e33bf8df06c3effa9e96e9ade36bf96eea25c8cfb8807c84ba1f8a5bd226eda186086605ce1b27fa9239005cf0834f8d3b127e1f6018aeff43437cc22

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
121KB

MD5
edd2624d2748cdf46cbcdfbba57f4993

SHA1
29c38e43f7bdc07248b0a84b1d9d8d40c15b60f2

SHA256
432b83c9da7f3babbe3d15468ee11eab9b0541efdd1fe827c195a5663cbf4b38

SHA512
2fd42783cdaceb9198980ffd6fe623f8b6fd685051329bbbd09bef4eacbfdda0780964668b8f64aa0fba6e91cf33a2c0540bf1543eda991a8ef9a5fb9fd024e8

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
121KB

MD5
29084b42ca29cc70d3725a89b6cfb3f5

SHA1
7356e2c9279a42ef23b4c75b6f9845aa94650227

SHA256
affad735c89e213659ad3f539ce8ccdccd030182d994a1c30ac68fa66b180e18

SHA512
2df5f9a80f647260ff24a8fc6067737c407c4d97d9d7ae614b571532224b6708403d8ee52424b91e2426a4807e869d4065dc8634ffda1d5f4a765053a187c737

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
121KB

MD5
0716a0b7cf9040b5f7bb529c7ea84a33

SHA1
94ea2747f22ad1374a52291b1cb2edcd8577dc97

SHA256
18055ea4cb18200bed305ae4164182afb8a494463033df8e2940eac85916a82b

SHA512
b51ad5bdff510139bb07d5978a2b03cd6bc1025b4cebe10228fb7a8b40291593862a2e08bba212f1d1946ec9fdafec527677f37c81ab23982b71e9d56765631d

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
121KB

MD5
4ce202ec8ca3aa727a241fbb84a460bd

SHA1
b6ba7b64538da8b7a137411a75d52d7f6391dfea

SHA256
58238ab87a7ab18ff686e75d6544eba1ff715d73c9c4045f3232141a670fe328

SHA512
baa33963a4337eaf4ed4343066088c7e15718afbef01bcb10e5d1279c0ce1f1d3e7103124d6c99205ad7e4235d4b399718b897bd4615c28c3067677f29e800f0

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
121KB

MD5
2a28080913ece25a9f776104574b340f

SHA1
b889296ec9f5af5b252073fc21fe1e0c581722ae

SHA256
fafeacd5dff95ca4c985a2f3c79fa2e2548dee4647f64fe57486cb40aea8da2c

SHA512
ed34cfc96af7cbfc0b8153e38cb11361c2a04d64842ea62a40799f3b752b45c25504d75b415632de58bc39f5fbb258a171a2e84a7b74ab9af80c6293b99a718e

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
121KB

MD5
05aa75c6d4db8f9dd775b2e66dbb597b

SHA1
8a51541de70ee0dfed83e3d36aa02cfd30f1c83c

SHA256
a44c78e4dd7aec5e953c8daad71a5d2c742934a03474261dbd2ac20c99ae9166

SHA512
45f5850a7c876154af45f015d5be1bca9695d4992052d453d061a2fbbe721a4c7dfb9151e8cdcb5fa25507693d8ba225dcd73fb04544540f8e9d827095b10e03

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
121KB

MD5
005029ae66dcbe3f327faf0eea9d056d

SHA1
eed80a25280b6ab2cce0cbf04d4ded4c14b6fc6b

SHA256
ddbc4789fe37b44effc9a91d8d98f261ef56f6df997ffbb1d1a45028ea61cf67

SHA512
a284fe161222ddbf85a16ae58f35cafc0cf4af2454465d3d10f4364f44a8b9a03f712e8e87fe1ac42fd2888f53b77e3b2132e138449b8b832aa6b77a35795fd1

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
121KB

MD5
8923b2d062490e040157aa323bf99e23

SHA1
f94387aff0f420ca70374ff35c2a15ab6f9f3935

SHA256
6f47a2affe8c4ecaf4597abc095ad7f86f025e60f57760d8ffea31efc3081792

SHA512
fd87ab680cf74fb7e3c4d29912d5484af288779496eff3766a9877d077da000ff694651d8e401fc63c4a75402f429fb4e05ecd4d77619f49ce021121106daf38

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
121KB

MD5
e8948f09cc13b685b3a4b9ac2179dd6c

SHA1
ee3d42afafd91dac2c160f5cfa71ded13d677923

SHA256
d40e48cd1e206b0487d1500fa377725aa37086a2cb9076b395ec2604aa69ecae

SHA512
99e7a848261366ca363668200fc6f238501741944d757a31e75929dce6df30feb30bc797bfcf7ba09523369f31b76b8030e6a7cf6de65102b3d672fb71aacc20

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
121KB

MD5
ed50ba35c8175d7e250cfdc73a310dbf

SHA1
1e8bc75d1c90d1076e978f97a82cb0e524f43c0f

SHA256
4cd8a428bb288c93d3c3e67497f4f49be09d330e0fc34f9f40f82725c5609584

SHA512
867442a4086089f22c03b395848bbc91e1b87ae7d2da4f1cc07e32a6605d35f96bff7748f645d0f3e3dc9f333a44e8ca38460d0a62b3d9b6f95d828a15290e5f

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
121KB

MD5
348e63a90c0d8e02dc6572682b9222a7

SHA1
e5a0ba4487a01734c63419138d404847fe202a7c

SHA256
25445b0793b1a36a894011c2390254a73ea4ea80334a85bee83cb75be544316e

SHA512
b266c7b72f63dd77be0d1f40ebfb9a95fea158f6e0ca06123f066660ce37a3289c82b15c4eef19454e890e065132440346dcfeaf8d7ff0f016bde1ffa2e75b55

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
121KB

MD5
c1e9a9c84745e81541c4ad8df65abbc3

SHA1
1d9849994a565f9b045645455fffb41b0de42163

SHA256
fe03a3e5848d2078a82a05dcd3f1285a2500de1b495b69e79454e3308a01d06e

SHA512
08e41bcbe7ea206522b30bb06b1d1218faeaa4c9bcad53e1b6cca512fb73227ca9ce736f5789a719ebc5ea63364c6dfc13b240ad519e5d6c3dda603d079bd8c3

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
121KB

MD5
01cd1bb426e821e1cd1e30f61f230e15

SHA1
e4e069587b459afd5046cbbb744f129e80b245d6

SHA256
4aeb4789cc0d5cb49d2bd6386ed454881ab16fd10d2826ed89b0e1796d4eba00

SHA512
41a5ea0ced9411819643755f69150118241a993bc1862a4c03f0bc674d8ff56ad341988ec4133d94e28298618ccc020d53768304d5ef04a165958016888c4519

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
121KB

MD5
ff9e9dfb9c2bf30619bd4a3e07324577

SHA1
06accfc6c2f319aa15d8f96a613b86e820bcf447

SHA256
168158452a6ff0d2b3a1cf4207ec731df65c293d79258fa7e1b04ec7b3fed979

SHA512
78a95afcac2dce9015e4fca83a0ddc4083cc0acda396900c028a90c82c6769f45fdd4c7fedf6b627278796d3c56cae85e7ead6270ee22799e0e0b8f8bae606d7

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
121KB

MD5
5e226b1d1ddaeccea22b0bfa657146dd

SHA1
2285b6f25fbb69d4fd28f4d09c8898d4ef2226e6

SHA256
bf0dbe6e61c36f82848649b4cc932423490b8260a03777e49e51051bc165f7f2

SHA512
f047027497e19fd7d1643612cf3e3f6c33595446081303720f1c7559022790eec71d2282388e3b6ff526b4460bdebbc25acc1e338d4d3575cdd2f573f7fa1924

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
121KB

MD5
c1e266c2ac20b0bc1db1122ce30bf091

SHA1
5f803096d1ace3335f22cdacc5cb6c98922a785f

SHA256
604ba3e4861a1cd46919699d2ee0baa93590d8e76890c0a937a6e40d2dcfee2f

SHA512
4bd41e777579afa7ef69c8db6cb0afa0e9d29e29f5cec55a4313bf873f51cc7e3ab3297e42beaec55ea62da7e5d640611ed955ea4a8387949cbba29e04714b41

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
121KB

MD5
e866b89c9903841122e49ce4c5efc146

SHA1
765ca324e966ca8fe0e663ee8ad5f75e49d156be

SHA256
0230301f3945c86596af56ada4bc1b38d953c6d1c58a7b8f0b024d3f60ec8cb0

SHA512
704808a72d8b0c91f7452e4ce5b1dc7c21d9999a23d5cd7d7af35fb6311b6a0267c3da64ca4d11dafa5e2abdeabfa642d540c1f99dc4d48a5bc99ee5cf7659c4

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
121KB

MD5
7a05f3761476daadff1520d39cb09529

SHA1
cf894d3ac3773685335ef6f28790b6098e48bcfd

SHA256
b4524f942901104ea427468e15ba42dd95178135a3ac5ec0504bb30a8d1b74c1

SHA512
4bcc2685368c05e5d592e8bb9377c838ed3d41a869411ec1be7a1f9f0171998dcf1627004298353c98ea9519c4bc9cf74f4b7eb01dda43eda2b0ad869f3b907a

Download Submit
C:\Windows\SysWOW64\Mdeced32.dll

Filesize
7KB

MD5
18e253c3ff5ec99e523f78172cc28690

SHA1
e2a1d53a9b61e28d3bf2a0878debdb733e754db2

SHA256
73f8e84de7a5dffd2c8d6ae6fc570cf335da9a9c04a90472566986a95a02c57e

SHA512
d1e21ff1353375d0780d967efb694fd96bc67ff823329a0a16fe2b3b170fbed87c50fe9f0ec2726af0a7b8386f0cf63d61ac51f1f33bce1193bce623fa3dd54f

Download Submit
\Windows\SysWOW64\Dbpodagk.exe

Filesize
121KB

MD5
89b253e0b1105abd3c56277d10c8a1ff

SHA1
96a9e0c1e47ee23a30362f15af8810dc628c60a9

SHA256
f70f4a46bf21b9d6d1e3efef648ead4da9e85ebc70df209f43ec9ab5436a4e3a

SHA512
c680f909f88613d094c7fe26bf7f1aa9972a718a3c2f9a22ff5e858cbed9128cfa753e5f29a90aed9740138357598dc56bca3ae4911719471d73abd6bbf0b6fc

Download Submit
\Windows\SysWOW64\Dchali32.exe

Filesize
121KB

MD5
941d569f8161ad5c520e17f9d951ee24

SHA1
c670bc8661691b0b3ea04df0746a2040f1d39607

SHA256
1519cafd13233c88393a50ce88364d4d55c12ae093256ac9e9f89eabe520268a

SHA512
823cf45a233da92d3988aff6e1d099b4c3335e3bd2d5baebdbb6a7728ea1d23bcc048f2000a7da2ebce54a6144916b6acc83477bfaa2c4ef1f03ec235aece034

Download Submit
\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
121KB

MD5
3d2061e992b5137371dd050d36ae5244

SHA1
817942264de0871973c8aa9129baa143642b3fd8

SHA256
52934423c6ebc1fcdc595b350959724931ca4485482723af0a602e7683088180

SHA512
9f0c63cc00d6788e19b1ac4a25ddaa3c8f65b8b6e4d165192b392b8f675da24bf17501a1b0975e5cdeb68332a0c666d8903f8cbaf010314b0979108c9ab6fc5e

Download Submit
\Windows\SysWOW64\Dkhcmgnl.exe

Filesize
121KB

MD5
1859a0c3bf4e4f31dea3ba084dc24398

SHA1
ae2b3f61446753af5fc52f868fce96bccb7bb43d

SHA256
346fedd81aaadadf1cb17af561dc722021559595d1ff273bbb9affe3fccdc572

SHA512
e05fbbff5862b20e28077383a642e19b0b1914cfe739833cbf90cfbf52bc9e5d301fa8d03f80189d403304c90a3a5a9489f2f86e2c0a18ad346737cc4281aee0

Download Submit
\Windows\SysWOW64\Dkmmhf32.exe

Filesize
121KB

MD5
a421845dce1e033f465905bb00b5fe33

SHA1
35a8271fcedd21a28663104886759b797770feda

SHA256
2c2f86cda625bf49f2a7084581d0dcab1fd9999aa7a7439bb472f7011f0e9402

SHA512
f5f3ee4e1183005f91460414b965a8e7fc1b579b384b9a824953fc4f36ec389cd70d3ef0a8e990c0b93aab88c5f6d43c0fa600809ade27f147022f4fdb3e8953

Download Submit
\Windows\SysWOW64\Dnilobkm.exe

Filesize
121KB

MD5
347043c98c13be5eeba146e363821866

SHA1
0f5c7ef2b437f23b9d9c1b4c7519395a36e10e5f

SHA256
bfd3ad39de1f84d89c0500ce04a3d95f8e1d6bd0c26e5368f5dc3857bd69d7f0

SHA512
b6da2fe58b16ff9564331ec577dc6982e3baf68637e750c16c2b1b5d586cac1ad788beb272e0847369a6e20252ae0172f86dc13b80d495d009b30445a469bd12

Download Submit
\Windows\SysWOW64\Dnlidb32.exe

Filesize
121KB

MD5
29f5714b4745d441f364a6e467bc2b27

SHA1
05c7c365a5d7a9cd50560672a9c08db50b098f5b

SHA256
737352c41be27e9a075f096d044eff922cad1ba9e7c0757af587a55f1d3aa382

SHA512
3b00e84f21e5d4b98cf22ef112ea315205218c7b10ad8dd2a3b5a28948b589179dae4c61289fd84874ae0d533a137ee9cc0d9d8b3eb6e4094b57fdaa20312c84

Download Submit
\Windows\SysWOW64\Dnneja32.exe

Filesize
121KB

MD5
f7dafbd8e9a76e011392047913a78c26

SHA1
cc23458e3ff0683b145648cfdaa24ed10a7a14a2

SHA256
f5b2b0c35918a3b0ef941d80e711cb593e88f94f65e35eb104299624f0c8f892

SHA512
4b8da1e60414a88c89a5b606bc142f5ef91b58b4a83c2804d54737a5bfd2c6c085ba05fd38d30922ddfa52c7df6c40913535710bb55aebe7f8619a1baf3e73a2

Download Submit
\Windows\SysWOW64\Dqelenlc.exe

Filesize
121KB

MD5
dda8293ba30574e1f6c8057177045343

SHA1
dba99ee465867606e2795bc6c9d0bca3600542b1

SHA256
41a342c71d3828494f55e713c54c1a38e87a074f03783aa3608f219b82cfaf49

SHA512
90ac8b22cc1b48244811078dd9a380a620eeeadb9ca2e7c99631f7839dcf90950cc159d67b05d4cc74572790260a7750615291492875adbd74476756e60e9041

Download Submit
\Windows\SysWOW64\Dqhhknjp.exe

Filesize
121KB

MD5
e7bb1bcd7106157d923ed9bdd2c098bf

SHA1
e8a5710826f6b2cd10ab3674e3dbadb95b6b155d

SHA256
b23510a821e6ca5280c673d2fa2a1b9bbbe3ae7a302455ff71330f597c87c925

SHA512
26415b12fa6db12b932ca613ec5a5a2bb8db413d3bf59ae0392e26ca6cd7ae9db043b8c01159f813d36635833f8cf8d6878adee6eb0b6fea7cadc988789b2720

Download Submit
\Windows\SysWOW64\Efncicpm.exe

Filesize
121KB

MD5
93be06fe51f73ae0968104f0cad01607

SHA1
394194ad7a83af2b0a797240a0777d873ab62332

SHA256
30a881b488ac17a349a3523751163fca40ec389b7fd1f10493ca6aee57664009

SHA512
8e8190c11c2d3b5a59bb336a3ccf3f58c9e81c3546fb86fab7c8cb4e64a5cd7b3b064ca8bf28f3979f5c620eb87e1735626dabe754883172c94667483022ebc4

Download Submit
\Windows\SysWOW64\Ejgcdb32.exe

Filesize
121KB

MD5
ff82c206bb484fbda329b67024c5c043

SHA1
4d3f38ca4ea660a8c10c65d2a2189119a53a31b4

SHA256
257d482ed19375b79e30a47e6921f021b084630c3fcd51defd55fed271e42912

SHA512
6a8b1c008bf6c4c563055cf6b319630a3ea24f770c98c2a98dec4f85c6b7b1494e7a170fc9cba573605a1abace6de3ff75ae5e48838b1ec53ef3617bea6ca342

Download Submit
\Windows\SysWOW64\Epdkli32.exe

Filesize
121KB

MD5
e2b68411855fbc085e1fd281c03b000a

SHA1
15e5db14be975ca73e02e0a1f6182da6b318efda

SHA256
93acd4910d5930f79f957ee4419fc420ab7f8cd17c85385da98014377ef20ae9

SHA512
72d9715d54921c831383d67d93530652b71513f4b2f5fb50b281a557a1c34c9c9f723f3ea2da7381d47e2f9a7085ee2e0d1c365ef0e87a0928d93064addee3fa

Download Submit
\Windows\SysWOW64\Eqonkmdh.exe

Filesize
121KB

MD5
a0d1883c5b2360ee2e691de318854122

SHA1
6fd9afbd67da0eed455e8f896c11fa4061014941

SHA256
627d55f4ff593108f5a6aeae9c950b203c238adda9d8b2662ff682203587dba9

SHA512
52648ed3e0e735871434cc7ce0e25d0e5e8436305dab6fae4b4fea9340da1c72f078f7e9a561e47ca547fce150dfa8b61ce5d5ceff0cf54ce6d249e728e66363

Download Submit
memory/468-106-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/572-299-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/572-293-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/572-298-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/1064-209-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1076-217-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1076-211-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1076-222-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1256-269-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1256-270-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1256-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1428-185-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1468-144-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/1524-475-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1524-469-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1524-474-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1620-235-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/1620-223-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-237-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/1672-245-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1672-254-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1672-255-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1928-146-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1952-159-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1952-171-0x0000000000350000-0x0000000000397000-memory.dmp

Filesize
284KB

Download
memory/2124-479-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2124-485-0x0000000000270000-0x00000000002B7000-memory.dmp

Filesize
284KB

Download
memory/2124-486-0x0000000000270000-0x00000000002B7000-memory.dmp

Filesize
284KB

Download
memory/2136-317-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2136-311-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2136-321-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2160-271-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2160-277-0x0000000001FB0000-0x0000000001FF7000-memory.dmp

Filesize
284KB

Download
memory/2160-276-0x0000000001FB0000-0x0000000001FF7000-memory.dmp

Filesize
284KB

Download
memory/2172-25-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2296-358-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2296-362-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2296-344-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2352-243-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/2352-244-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/2352-238-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2416-432-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2416-442-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/2416-441-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/2432-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2432-290-0x0000000000380000-0x00000000003C7000-memory.dmp

Filesize
284KB

Download
memory/2432-284-0x0000000000380000-0x00000000003C7000-memory.dmp

Filesize
284KB

Download
memory/2480-309-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2480-300-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2480-310-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2528-387-0x0000000001F90000-0x0000000001FD7000-memory.dmp

Filesize
284KB

Download
memory/2528-386-0x0000000001F90000-0x0000000001FD7000-memory.dmp

Filesize
284KB

Download
memory/2528-377-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2532-52-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2556-411-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2556-403-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2556-408-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2580-91-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2580-78-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2704-333-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2704-343-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/2704-342-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/2708-427-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2708-413-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2708-428-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2756-453-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2756-452-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2756-443-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2796-376-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2796-365-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2796-371-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2824-454-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2824-467-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/2824-468-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/2912-131-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2912-119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2920-431-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2920-430-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2920-429-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2924-65-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-332-0x0000000000260000-0x00000000002A7000-memory.dmp

Filesize
284KB

Download
memory/2944-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-328-0x0000000000260000-0x00000000002A7000-memory.dmp

Filesize
284KB

Download
memory/2952-487-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2952-6-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2952-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2960-364-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2960-370-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2960-363-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3040-100-0x0000000001F90000-0x0000000001FD7000-memory.dmp

Filesize
284KB

Download
memory/3040-99-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3044-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3044-398-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/3044-397-0x0000000000460000-0x00000000004A7000-memory.dmp

Filesize
284KB

Download
memory/3068-34-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/3068-26-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads