567790414c7428ba522cf22473a4f4d336930232201a97a8985381929437f858

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
Size

800KB
MD5

733c7311971b1b3398e5567062ed6390
SHA1

50c0d24ec2843a65e155572361f9eaf4b34245b1
SHA256

567790414c7428ba522cf22473a4f4d336930232201a97a8985381929437f858
SHA512

1dcdc9e8fcd3492541ad377cdf81532c14d8be17082966871ebd505deee3f249ba44ee51aef337e0ac0cebf23786fa9f0f8ec3f32a9ff9b72faf1ab7e6b237bc
SSDEEP

12288:zs/KCU/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KFum/+zm:w6m0BmmvFimm0MTP7hm0BmmvK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqjepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eloemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflgccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eilpeooq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eflgccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekklaj32.exe

Executes dropped EXE 37 IoCs

pid	Process
2928	Dqjepm32.exe
2792	Dgfjbgmh.exe
2536	Eflgccbp.exe
2556	Eilpeooq.exe
2652	Ekklaj32.exe
2428	Eiaiqn32.exe
2704	Eloemi32.exe
2416	Fdoclk32.exe
1732	Fbdqmghm.exe
832	Feeiob32.exe
1984	Gpknlk32.exe
2224	Gobgcg32.exe
1516	Gaqcoc32.exe
2284	Gphmeo32.exe
2412	Ghoegl32.exe
1104	Hmlnoc32.exe
1356	Hpkjko32.exe
1156	Hcifgjgc.exe
3036	Hkpnhgge.exe
1672	Hnojdcfi.exe
3008	Hckcmjep.exe
952	Hejoiedd.exe
1812	Hnagjbdf.exe
2008	Hpocfncj.exe
1776	Hcnpbi32.exe
1616	Hellne32.exe
1976	Hhjhkq32.exe
2976	Hpapln32.exe
2720	Hacmcfge.exe
3068	Hjjddchg.exe
2568	Hhmepp32.exe
2472	Hkkalk32.exe
2504	Icbimi32.exe
2628	Ieqeidnl.exe
2760	Ihoafpmp.exe
2168	Iknnbklc.exe
2004	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2076	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
2076	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
2928	Dqjepm32.exe
2928	Dqjepm32.exe
2792	Dgfjbgmh.exe
2792	Dgfjbgmh.exe
2536	Eflgccbp.exe
2536	Eflgccbp.exe
2556	Eilpeooq.exe
2556	Eilpeooq.exe
2652	Ekklaj32.exe
2652	Ekklaj32.exe
2428	Eiaiqn32.exe
2428	Eiaiqn32.exe
2704	Eloemi32.exe
2704	Eloemi32.exe
2416	Fdoclk32.exe
2416	Fdoclk32.exe
1732	Fbdqmghm.exe
1732	Fbdqmghm.exe
832	Feeiob32.exe
832	Feeiob32.exe
1984	Gpknlk32.exe
1984	Gpknlk32.exe
2224	Gobgcg32.exe
2224	Gobgcg32.exe
1516	Gaqcoc32.exe
1516	Gaqcoc32.exe
2284	Gphmeo32.exe
2284	Gphmeo32.exe
2412	Ghoegl32.exe
2412	Ghoegl32.exe
1104	Hmlnoc32.exe
1104	Hmlnoc32.exe
1356	Hpkjko32.exe
1356	Hpkjko32.exe
1156	Hcifgjgc.exe
1156	Hcifgjgc.exe
3036	Hkpnhgge.exe
3036	Hkpnhgge.exe
1672	Hnojdcfi.exe
1672	Hnojdcfi.exe
3008	Hckcmjep.exe
3008	Hckcmjep.exe
952	Hejoiedd.exe
952	Hejoiedd.exe
1812	Hnagjbdf.exe
1812	Hnagjbdf.exe
2008	Hpocfncj.exe
2008	Hpocfncj.exe
1776	Hcnpbi32.exe
1776	Hcnpbi32.exe
1616	Hellne32.exe
1616	Hellne32.exe
1976	Hhjhkq32.exe
1976	Hhjhkq32.exe
2976	Hpapln32.exe
2976	Hpapln32.exe
2720	Hacmcfge.exe
2720	Hacmcfge.exe
3068	Hjjddchg.exe
3068	Hjjddchg.exe
2568	Hhmepp32.exe
2568	Hhmepp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Fdoclk32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Fdoclk32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Eilpeooq.exe	Eflgccbp.exe
File created	C:\Windows\SysWOW64\Ekklaj32.exe	Eilpeooq.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dqjepm32.exe
File created	C:\Windows\SysWOW64\Odbhmo32.dll	Dgfjbgmh.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Eloemi32.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Dqjepm32.exe	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Dnoillim.dll	Eflgccbp.exe
File created	C:\Windows\SysWOW64\Maphhihi.dll	Eilpeooq.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fbdqmghm.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Dqjepm32.exe	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mkaggelk.dll	Dqjepm32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Elbepj32.dll	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Eloemi32.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dqjepm32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe

Program crash 1 IoCs

pid	pid_target	Process
1664	2004	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll"	Eflgccbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqjepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eflgccbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll"	Dqjepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll"	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll"	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hcifgjgc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2928	2076	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe	28
PID 2076 wrote to memory of 2928	2076	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe	28
PID 2076 wrote to memory of 2928	2076	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe	28
PID 2076 wrote to memory of 2928	2076	733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe	28
PID 2928 wrote to memory of 2792	2928	Dqjepm32.exe	29
PID 2928 wrote to memory of 2792	2928	Dqjepm32.exe	29
PID 2928 wrote to memory of 2792	2928	Dqjepm32.exe	29
PID 2928 wrote to memory of 2792	2928	Dqjepm32.exe	29
PID 2792 wrote to memory of 2536	2792	Dgfjbgmh.exe	30
PID 2792 wrote to memory of 2536	2792	Dgfjbgmh.exe	30
PID 2792 wrote to memory of 2536	2792	Dgfjbgmh.exe	30
PID 2792 wrote to memory of 2536	2792	Dgfjbgmh.exe	30
PID 2536 wrote to memory of 2556	2536	Eflgccbp.exe	31
PID 2536 wrote to memory of 2556	2536	Eflgccbp.exe	31
PID 2536 wrote to memory of 2556	2536	Eflgccbp.exe	31
PID 2536 wrote to memory of 2556	2536	Eflgccbp.exe	31
PID 2556 wrote to memory of 2652	2556	Eilpeooq.exe	32
PID 2556 wrote to memory of 2652	2556	Eilpeooq.exe	32
PID 2556 wrote to memory of 2652	2556	Eilpeooq.exe	32
PID 2556 wrote to memory of 2652	2556	Eilpeooq.exe	32
PID 2652 wrote to memory of 2428	2652	Ekklaj32.exe	33
PID 2652 wrote to memory of 2428	2652	Ekklaj32.exe	33
PID 2652 wrote to memory of 2428	2652	Ekklaj32.exe	33
PID 2652 wrote to memory of 2428	2652	Ekklaj32.exe	33
PID 2428 wrote to memory of 2704	2428	Eiaiqn32.exe	34
PID 2428 wrote to memory of 2704	2428	Eiaiqn32.exe	34
PID 2428 wrote to memory of 2704	2428	Eiaiqn32.exe	34
PID 2428 wrote to memory of 2704	2428	Eiaiqn32.exe	34
PID 2704 wrote to memory of 2416	2704	Eloemi32.exe	35
PID 2704 wrote to memory of 2416	2704	Eloemi32.exe	35
PID 2704 wrote to memory of 2416	2704	Eloemi32.exe	35
PID 2704 wrote to memory of 2416	2704	Eloemi32.exe	35
PID 2416 wrote to memory of 1732	2416	Fdoclk32.exe	36
PID 2416 wrote to memory of 1732	2416	Fdoclk32.exe	36
PID 2416 wrote to memory of 1732	2416	Fdoclk32.exe	36
PID 2416 wrote to memory of 1732	2416	Fdoclk32.exe	36
PID 1732 wrote to memory of 832	1732	Fbdqmghm.exe	37
PID 1732 wrote to memory of 832	1732	Fbdqmghm.exe	37
PID 1732 wrote to memory of 832	1732	Fbdqmghm.exe	37
PID 1732 wrote to memory of 832	1732	Fbdqmghm.exe	37
PID 832 wrote to memory of 1984	832	Feeiob32.exe	38
PID 832 wrote to memory of 1984	832	Feeiob32.exe	38
PID 832 wrote to memory of 1984	832	Feeiob32.exe	38
PID 832 wrote to memory of 1984	832	Feeiob32.exe	38
PID 1984 wrote to memory of 2224	1984	Gpknlk32.exe	39
PID 1984 wrote to memory of 2224	1984	Gpknlk32.exe	39
PID 1984 wrote to memory of 2224	1984	Gpknlk32.exe	39
PID 1984 wrote to memory of 2224	1984	Gpknlk32.exe	39
PID 2224 wrote to memory of 1516	2224	Gobgcg32.exe	40
PID 2224 wrote to memory of 1516	2224	Gobgcg32.exe	40
PID 2224 wrote to memory of 1516	2224	Gobgcg32.exe	40
PID 2224 wrote to memory of 1516	2224	Gobgcg32.exe	40
PID 1516 wrote to memory of 2284	1516	Gaqcoc32.exe	41
PID 1516 wrote to memory of 2284	1516	Gaqcoc32.exe	41
PID 1516 wrote to memory of 2284	1516	Gaqcoc32.exe	41
PID 1516 wrote to memory of 2284	1516	Gaqcoc32.exe	41
PID 2284 wrote to memory of 2412	2284	Gphmeo32.exe	42
PID 2284 wrote to memory of 2412	2284	Gphmeo32.exe	42
PID 2284 wrote to memory of 2412	2284	Gphmeo32.exe	42
PID 2284 wrote to memory of 2412	2284	Gphmeo32.exe	42
PID 2412 wrote to memory of 1104	2412	Ghoegl32.exe	43
PID 2412 wrote to memory of 1104	2412	Ghoegl32.exe	43
PID 2412 wrote to memory of 1104	2412	Ghoegl32.exe	43
PID 2412 wrote to memory of 1104	2412	Ghoegl32.exe	43

C:\Users\Admin\AppData\Local\Temp\733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\733c7311971b1b3398e5567062ed6390_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\Dqjepm32.exe
  C:\Windows\system32\Dqjepm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\Dgfjbgmh.exe
    C:\Windows\system32\Dgfjbgmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Eflgccbp.exe
      C:\Windows\system32\Eflgccbp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\Eilpeooq.exe
        
        C:\Windows\system32\Eilpeooq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Ekklaj32.exe
        
        C:\Windows\system32\Ekklaj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Eiaiqn32.exe
        
        C:\Windows\system32\Eiaiqn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Eloemi32.exe
        
        C:\Windows\system32\Eloemi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Fdoclk32.exe
        
        C:\Windows\system32\Fdoclk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        38⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 140
        39⤵
        Program crash
        
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eloemi32.exe

Filesize
800KB

MD5
42894867863087eb22c5f447ef2ded5c

SHA1
c1cc1c28e99404a8c9c9417ede989b2c1725d3c2

SHA256
27804ab5f5535540e6117f73357f5a104edc7f3dff1a33bd1b3309ae1f34834d

SHA512
bb800b5efdb0e35ced63bb9711df03560645b18c66950f1dd9826ec9931ac2e445bb747420bb356bad982e6a2dfbc4a93e9c6a62685027c5007452f7f8a6ce39

Download Submit
C:\Windows\SysWOW64\Fdoclk32.exe

Filesize
800KB

MD5
962cbf4654bed627f937c6925243c440

SHA1
a75ab8cb2aaed204ea3e4d40f7ec3cbeba5939df

SHA256
2de7db98cce0421f268c456f9ec0118fc00aec0afbbf845c85a94f838c7c2eb2

SHA512
5183ccd59a5968474ce4a50f2a0e0d2ebbdf9ae52756289cbad250b7478d87650ab86829d4a37c45d9b14606d814c26bff3e9c5c27874e54c139ff671bf799a4

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
800KB

MD5
f6368e35139c56ce8df87d341a15735f

SHA1
d5d1ea6fd52b7ade537ea4476a6c68a896fd3480

SHA256
21f0409460026af41b3ebaeedbbac15046f12cea472105ea9f057c5ebe695016

SHA512
89020031b36e088243be6214f956af3e8bdc5494e111a277a31407015ad2cba863b8135cba017bb0d2ecc2f0b3fcebc786a31578d4cca3a6d74b1eb47fdb345d

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
800KB

MD5
bc5118634130d459b212b009d99b98aa

SHA1
a0335f9cc1268964903cae385c6ca871677f9cce

SHA256
8b9bf322d987176fb0ded83106ac86e31dcc946a6713185530e4be8b356db8a4

SHA512
29f2431e57163024ba534caf754b2b75c7d5dea0727c7d36404010298c06dbdd71ad6a0136c80c1cca2468beebf8158a89448fcb1d9280c80cf5249e218cbd39

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
800KB

MD5
a02a09d8f2632ef00d27a8ebb7fe1cd6

SHA1
22096fd8876386f739d3b268842421b8880f2480

SHA256
2dfb5ac4e33f24fe1428fcac9fc831f5e559a3ab1b1edc7f3523ba7fe7b4b7c8

SHA512
1d5cb3de18673360e43ce4498143cb2c6ca79c74030d7dfa98ed2b7281f440a423a680b48283cba8816403c5cd5e649fa31a197a2fb0928030edbcf0da74356f

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
800KB

MD5
c5e6030e6558f4c26e86968b79f42aae

SHA1
a653ca2c831eb931264e107c71011bbcd7513f89

SHA256
fc1dafa3c323dda112e88a70938e49e791a95557d33c035e954aa5b8052924a9

SHA512
2005513b5ea427c67273ea42fae75c577a91d298391161e5f8c61689837154ca51538cef9bc8b03aa7dbab9625ebf9f7cd4a69c5c9ace4495149a48af3683331

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
800KB

MD5
9e5dfcc8937210c9c0091a9baad51c0d

SHA1
2576ed43ea22102ede156d4c1420e06b129662cb

SHA256
393b9b41c247067011e4ea75b9f756efa047c6827d17ad6c4d24aec8426bc4f3

SHA512
151ca92e34fec041bc8311b185dcc169bba9e99280d3d5ed1f3e49867bd193375b8fa4158b39f285bdd3f6507ce1cb28b339ef445236a0500d74654e7f4e7925

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
800KB

MD5
26bc1dabcd3ef07f13db1847fcdff60e

SHA1
1cb4752c4807e2dbd25e6c72957a3b5d9325d9e9

SHA256
9220c0e089df2aefe8d52c0c4f810dda1713cb4386a7f375aef68cde7d53052a

SHA512
211db911949b1bb19e2ad8b6e85871f490300bc00e7401a78dd945e65760e6fd0dbf6d453f852776df19786433245fb386244f8ef2fc5c004452cba7df76c643

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
800KB

MD5
1c319ebb01bd9e1367b4d220657514aa

SHA1
959e2c6967089638ba1c9446aed8a8a325c862df

SHA256
8c8ff8f90ec5e08a38485d08f6e0dbe9524d8d49a5577d771eb6b8bf9d345e56

SHA512
0fdcf2124ab46beb44460a2762516d22a90211c81c1e2d7455adae0fd1ba9a0fa2f6724f13c7c95e8275a4b5634eaf690cea50e6bd692c401961edfe3535e973

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
800KB

MD5
02e075fc03285e4099418ac6299ce00b

SHA1
25f5879d0acf7e4739d7b4d610c3ab0040d4ad91

SHA256
7138b103c7b3b99c8b8e113655b8d6953b83b82940ad14ded0d412492284c5cb

SHA512
2d9bd2d1a289f1854d5e6fc64d395c3c4673b131111e45fc94336c1d4bd7e71f6a5a41742d1e626ac14bc1bead564c00aa5486dd2a15445d99e294e1ef7c7f2e

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
800KB

MD5
1c2ef70865165969d5fbbfc74c425cd9

SHA1
658f4f9032e7343db577114a22a0fcb3718d84f5

SHA256
dd080bec71b3adbe6d0072198ee6c428bb51c497fce2a830d62d8de968819afa

SHA512
a21d2ccb4137731a2eb2c1d50745453d67d0f3864e8ae380c3aa254a3377e80c07cfb1c6bcbe8535782f4f63d17f259120dadd167a022cf892dd8ae4425c3ced

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
800KB

MD5
5be47b54e6447656a9ce98f627a08bb4

SHA1
ea9be1dd0bd75a36b4b0a1f75def4498eabf3511

SHA256
d44946540863b14e1ea51dba50424f478c23448e5d44abfca975b2438fc55b4e

SHA512
d4e607d80b228d213b7f5301cee56830b088cd4328ffd041c7c47ab60b65b74dcdedbcff9cd1f86e18908aeebf9641719f1fd8f2bbe178aef4c959809ee106a2

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
800KB

MD5
6cdfc0001585071fbd6ef9f9a4bccf3c

SHA1
772057778d4d22ab510e1f7ad3ec7ae8398f313f

SHA256
05fceccac7b50fef3017fa8d6af0fc1734ef049110f814664522f753aa510a6f

SHA512
bed2e9cd764a6b24490b2e31b76c085f347d1fe43c7f5410847176cc57a59457281d38917124b4602ea9f676a67ad9101d91f47be8d8a95c474988000e20a12b

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
800KB

MD5
93aadbe0fd81d91df20eb9940fcfa6e0

SHA1
b4e115d75799c9069d76c2421abc453e2cc686f2

SHA256
8d29cf63bfec6e3b7b762cb6fdb21cfd3d0083afa09fbbece6d85c0faec37622

SHA512
231899164721087795810278757e5b6fa50759de7a6c93a85589a2b87dda7e9eba9f6da9251cef41e8c37e26fe2367952a970d730f25e8867567755bac3e79ec

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
800KB

MD5
353f3f4759229ea799c292b207492f6b

SHA1
750f7ff4c7cd0c24c1430b7456aaf11bcf169c61

SHA256
474e664bfaaeedceeaa2f5f161c7756288045acc2b0b4b9c21bd4a1498b0316a

SHA512
c3e31efcf9a36a013d52b941394aa20d1bf0f28c3352cb570c7ffaabe8544835c333f6dc684f557b54097ccfedd27e03f80f6320dace1b1500444faefeaf02c1

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
800KB

MD5
6ac38c2536d88f4dc5aff5b71e8891ee

SHA1
1ca05a6c81b4810ee9dce9675180d21f2bb8dbe1

SHA256
75d43750f96a26da43d2b39b2a4d2c6aeb997c13160b87142dc71b7f1b585492

SHA512
a2032523a415e42c1b5a37b377b84e655ba08f33141906f9d90883835592d69cf8948664936558028fd80215fe4cb63cc5a2f007cc0b8ac4089c74e07e2a5d1d

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
800KB

MD5
0f7f345971389b3d287d2ebc1eb7d5da

SHA1
d8dae9bded9f8935cb7cbdf08ca754afe2babcbf

SHA256
ff9637ded0c16c1e5a46ac35514d25de046b87fc437007e7c9d31d713a28083a

SHA512
12fc9604004bf5af5cf6ba77fde8b6fefef7499d21d29bae14174b1b504a2a450a358cbe7d6f0e354727410fa82ae21b60596f7da64b5b66e201b0ad47165f81

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
800KB

MD5
64755ea865052567aca50f5d4b7c2d31

SHA1
3d86409de4c1609d600ee14c9087db02f974f5e2

SHA256
dbb1e4b9d0f242d0d898e18c439ca0108e9d45e1cf9c0095576f02040bbfef75

SHA512
c4429cc1b8a50ef6309873f138ba66361fc3c036f27eb0e8cdb55e3530b4d6b06fa0567465a20f99a659a74878875c93a18f981be06433ae5d6d29d3356efba5

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
800KB

MD5
cea63bb7a514bb3777097483f933ce79

SHA1
c7c9bf17b80826d29bd070c721c5d3788502eb56

SHA256
07068ce53a1c3dd1ca66f6eb0942b60ba18752aed65b037a9071d72c245478ac

SHA512
ad0e21241bdbd36a6f916bab8712796c8ca5833f794a43dc973f6070faa04a24ee78e36cfc020ca7018a30544e123ec627729fb0e2a77aff796c2bb588ed4173

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
800KB

MD5
e3a742899de90b69c4104e0f229cb0a3

SHA1
a9a5e271b533d726859b28d7a2d926238ba1afc5

SHA256
1a2aff214ef479c5f1c0d107abbccb97ba2867f3aa840510a2aa54d5b432b4d4

SHA512
8786154bc62107798e8b56c0bef793eef2ace9859f0da1ef4499606c50a8d27ca1dc4e4790845f4a8d0e7cadaff43f5b1d1a58a80b4acc6f44006421530e113d

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
800KB

MD5
b716c541292f65f1e8233d98332f9b3e

SHA1
359364e2148237fce349d1c5e1a2bec0e3b56ff3

SHA256
854020974e46717e37442bf5921fe44296ed188e18562dcea9510a4d3c8a9034

SHA512
d8e943291caf87fc7bc46490b4bb9c7d5421b43ae3bc4eaa9c2bd77decca4e73d269ab4c0269294299e5b7f825a6e793f86941371f3efe6b3f474a2198924f9f

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
800KB

MD5
6f39d94fa41bd4fad8c55200359eaa28

SHA1
31196db860f975f234848dce9d8cbe84a4499faf

SHA256
3b96448bd527fa590925a773d479cff0efefec55e7a19173efe29a8610455036

SHA512
64663625eecec945709da2407fbcaba5bacc41c88ff18fa4d7463d625280d1cb3eb4a6a1d8a004d984ea557f06d34203986cf76d6ee8da63c67246b2e6d381f5

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
800KB

MD5
ef0d1680c4c3af79eb271fba03a6e7f4

SHA1
0eef902fe61b204a8420e876434a4f8bfef60613

SHA256
bf3ada185c0ea9320014af380b5133164b49cff9e8472d7f511888f342276e41

SHA512
971d8407f7402efa372371e10a565fc171c512f8cf04a3da4395c39779f7a8d35d31f0cd111e79ebb0c7a83defda2fddc08ff6cd16af24232c5eca2ef56eb60f

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
800KB

MD5
3f16468c5d074fed2f7ed6da15bfe72c

SHA1
14d7f6b6d6d006bc27f92a668dbe66288f0837d4

SHA256
b67fdbc9b4ea01dc44537070fd8cdd682a8279b7d4b2df53d7ab2fd3628dd569

SHA512
c79e69330d853c0ef8b50843093e69e3a2b131d6aedf5f2e16640d3cb3bcb1199342cd5357059b433c5f721eb0c7d2e2dec5f0d0b2c14046d75c35b5cc22baf8

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
800KB

MD5
409f88030b1980ac6dfde5058d2dac79

SHA1
0c4f3a06c5c4491712c78b75846b27082ad52cad

SHA256
d220208e70826fe8f2ec84a256677466dff9b102c671f8a06a70be0fd3087d6f

SHA512
6a289f38e5fe0856fb3437ef6f5e0fa5be901b9c743311cc26cdb48ad1628df30785cb98c4f37e7bb1441d54f6384277c4d8e6fa6096bcd9e2f5c805556fd6f2

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
800KB

MD5
41bee41e4910d587dbd9f2fbaa06e177

SHA1
dbea9035c20ab1682c63de669cd5284ff0f2b668

SHA256
928ccc3ab936f3e4d7e76eef95d3b477be6342f73b33407a68cbc9a7f5537623

SHA512
99e98461cb90e2794cbdac12f06cf2c6316c0a68421528ab25a2e1f13aa9b6be0237093910e7c4401f3d6539aa49a1e171087e07dc6fadd931e3463ab15a2202

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
800KB

MD5
dee7c21be01abefded95bf2769685053

SHA1
8e98fc7ca4a95a1bae8777978c43fa2abf1d0c05

SHA256
0af0a3e9b872fd45467e7861858451c16a4719c4962c2ae455946dfffa3131b2

SHA512
3b3630d3c30639ada2555a8d72e97d5d8afa211e33bd852248750df4ec47701199f69ed37549ecc4f13d554e4cd2fbdbf3c287b30fd5a26c3da0c4f6bb05f286

Download Submit
C:\Windows\SysWOW64\Maphhihi.dll

Filesize
7KB

MD5
f1309bcfdd327ded31037eac619e2448

SHA1
e590d33a1ac3fab18a0079972dfa665ca53163b3

SHA256
37c1becf4b4529116ca6fbfc91873b4c9aff78d587d95f6cb9674b127c020256

SHA512
baccd559471952612e0fe468999dd8c3fbe58797196f19fe64a1f19a75340022c1bd4f9121070fb73806a55b38f033dbe6bb55d47698bac8e2ca4710b3011787

Download Submit
\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
800KB

MD5
2793ae7cbf3a3e48e56c18a69c649356

SHA1
dd186ab5956775ff198831bd4a9e619a07418ea4

SHA256
37556f072fd1c6a6e5d09d3e28595c20bc51cd9aa26b549fb05b885c3464c987

SHA512
c8ad32cec58506bd841427bd3f960e550e69eb77e82bf0a6424a27a0f73768c77d23cb5f56fafb1d28f855d031864ba6d088e5ec38081207ce6f4874d3c6b45f

Download Submit
\Windows\SysWOW64\Dqjepm32.exe

Filesize
800KB

MD5
9a1c26b81aa5cfbfdcab4172f1eb886a

SHA1
9307a643ebce0e85da20a4d380647282f9b340cd

SHA256
2719b64b6eca2674c7faa9a1c9910003bd8afd768d8a03228702107ff15b8555

SHA512
dad41e88f9cc913e3bc8d2dcaf8ece59c1d9511302133ed7f7b8143f64dc15fec034bc13889c5839b8c989ac01ff67ea504765521953c47beca96b309f0ae259

Download Submit
\Windows\SysWOW64\Eflgccbp.exe

Filesize
800KB

MD5
52454517ac05ffec49d8c13f988cdbb6

SHA1
d498ae2cb634c307d1b620f6ab6a6c24828f2d52

SHA256
5f34b65936d5821cfc1315944e97e32d71b6fbc529fbad7bafa067c03c7e9cd6

SHA512
97f632d867a21d5cf5bb5c25f3cdaaa1e963bb11cc9fa472712cd384e575bbabcea6179532f010ab0f56a8d0812eb3723724dd506adc38922ac2f1623ef88274

Download Submit
\Windows\SysWOW64\Eiaiqn32.exe

Filesize
800KB

MD5
8846334d718d91b328c4b1bcfc0b1a49

SHA1
c72db34e41d84ba98b7855df80dcc7f2c92334c7

SHA256
ca959a3c62db8e43d84267aeaab03e56b9263e9fc77a4fc4de809878bbdf635c

SHA512
49b1cc58ae97e0ffc28c4551bf7d6e5d61ba1c9f3da687388efc9f52a1587c618069cb39987a99fc3d6cb88dd8a2490709f42ae068e6ffa02c865a5e1f4f331a

Download Submit
\Windows\SysWOW64\Eilpeooq.exe

Filesize
800KB

MD5
96f4c58d6b72c6baca0bfee1c8eb0de2

SHA1
53a21251b34a2fd37629929ee06ecbe74666c042

SHA256
204ed03e5d64a0953289e53bda414a40ece25f402b9876a21140de68aff1ae4f

SHA512
acac44ea1a0d660f468ef11df4f4d814f8d494653c11bf2a77389a365462d3f25809680996d7be68d4514d2e1319bc26b9811507ea7be9d00510e4f5dcb1f612

Download Submit
\Windows\SysWOW64\Ekklaj32.exe

Filesize
800KB

MD5
a287a299671c3bd58e17b97c48d5833f

SHA1
a1d66a515be3c0ff294557abac0dee449dd6b688

SHA256
15d76737f1c3514c70c32d07f12cd26b9c4d6243a00a244b881d14c064dbea3a

SHA512
0994d83018dbe8cbf507de791e249dcd7be4ca98d5d6a4e66a72778e0fe46be4638e4b1586eb59a01aa3425be7c36926b40579a1a54b61df8699ecbb86f80058

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe

Filesize
800KB

MD5
287ed200d588fc8762e090f605fd86dd

SHA1
b448a37e4ed3d4939298732a77d95256b8da8df7

SHA256
531cb6f4ad2b8156ac6eb71b9ebfe5ecc763fedd53abc917fb30c14de792bec5

SHA512
6bff41b8329a81e1059eae9fbe06a81428af0775bd4e876f1b0511ccc2d30e93997ac84eddcb7cf18ef89ed84a88aa87d9a890c2c34189b46cd158d7e4c39454

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
800KB

MD5
3ff4a36f54c41ac6cdcd1e99df7120e8

SHA1
6657ecab03c6e0c14c76bc2b22f3836fa26837ad

SHA256
99e1ffbe51b77014ff2f9cb792dc34496daedf9e66536339bd373ab073db6dc5

SHA512
cb756fac31588ec3510c861d00a11723cb7dbbea8e6d872de441fa22515cb0518b4d38158c9c6b5bc2e7c7ed507946d2d2645757f06954ddc60a724b5a994fd4

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
800KB

MD5
2abd724f516616a075caaf3feb549736

SHA1
49ed4eba775d559b4d2447195a510b2a68e87bfa

SHA256
12fb970305adc8083f2683016f97b5f12e24d72ba5b6b715a96247fe13f2d78d

SHA512
535b54dcf831894cc95d864a4371c03b1ad90e57c02e00920c10a782ccfa3dda11b2c6d7cca13fef444448f6d8bc16e7bc403b617db8beee6c385c756a598ea9

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
800KB

MD5
9509b3186ddc2a8f491898ddafb303be

SHA1
e9e6835adc907573fa45f160df7d8e5fb8ccf9b1

SHA256
2668664ec707f2b46317316297d617e3c8af2abfddba05a6a8e5a0c319fb8346

SHA512
80464e2976153ada8325bb61a92bdbeb106805b4eee21a038184bf3e5f768c1095fd22c45139740d7fd6bac5980d6ba1fc49d3bedd4634f2520cc96d4b59c06e

Download Submit
memory/832-157-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/832-156-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/832-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/952-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/952-301-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/952-302-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1104-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1156-258-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1156-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1156-257-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1356-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-201-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1616-344-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1616-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-345-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1672-280-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1672-279-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1672-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-137-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1732-143-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1776-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1776-333-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1776-334-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1812-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1812-316-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1976-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-359-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1976-358-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1984-173-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1984-172-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1984-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-326-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2008-325-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2008-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-6-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2076-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-13-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2168-455-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2168-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2168-454-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2224-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2224-182-0x0000000001FA0000-0x0000000001FD6000-memory.dmp

Filesize
216KB

Download
memory/2284-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2284-215-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2412-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-128-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2416-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2428-100-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2428-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-411-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2472-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-410-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2504-425-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2504-424-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2504-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-53-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2536-56-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2556-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-66-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2568-403-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2568-402-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2568-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-426-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-436-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2628-435-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2652-86-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2652-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-85-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2704-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-114-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2720-382-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2720-381-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2720-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2760-448-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2760-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2760-447-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2792-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2792-42-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/2792-41-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/2928-27-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2928-21-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2976-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-370-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2976-371-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3008-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-294-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3008-295-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3036-272-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/3036-271-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/3036-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-388-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/3068-389-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/3068-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads