6bb27604487f55b839359b0fad0fc02266f62f283d1ae56d297fcbd0a5d4da6c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
Size

59KB
MD5

bd1dabdeaae302eb206c68de10c89600
SHA1

eaf326714bdd3f30313b49c40dcfdf383930e2a7
SHA256

6bb27604487f55b839359b0fad0fc02266f62f283d1ae56d297fcbd0a5d4da6c
SHA512

dbc3b0a4825c7d53dcb1e3e55b9cfaca3bc21954c5ce45d69ce5d2a1abe63ae64b33b77602652c9c95f73320e4c759273a01da9c04698917de80bdc29e0e7690
SSDEEP

1536:TVeQ8MfJMiJ/E0Qy2VmcwSFLJKjgNCyVso:TVTBJMu/3Qy2tbKjveso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe

Executes dropped EXE 39 IoCs

pid	Process
2356	Ffkcbgek.exe
2704	Fmekoalh.exe
2592	Fjilieka.exe
2740	Filldb32.exe
2528	Ffpmnf32.exe
2916	Flmefm32.exe
1748	Fddmgjpo.exe
2660	Fiaeoang.exe
2172	Globlmmj.exe
1772	Gbijhg32.exe
1564	Gicbeald.exe
768	Glaoalkh.exe
1516	Gangic32.exe
2120	Gieojq32.exe
2420	Gldkfl32.exe
2240	Gbnccfpb.exe
1780	Gelppaof.exe
2808	Ghkllmoi.exe
2348	Gkihhhnm.exe
1180	Gacpdbej.exe
1848	Ghmiam32.exe
1464	Gkkemh32.exe
992	Gphmeo32.exe
2296	Gddifnbk.exe
1860	Hmlnoc32.exe
2056	Hpkjko32.exe
2584	Hcifgjgc.exe
2632	Hpmgqnfl.exe
3004	Hejoiedd.exe
2636	Hnagjbdf.exe
2472	Hcnpbi32.exe
2912	Hellne32.exe
1604	Hodpgjha.exe
2544	Henidd32.exe
1908	Hogmmjfo.exe
860	Iaeiieeb.exe
1944	Idceea32.exe
2448	Ioijbj32.exe
1164	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2036	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
2036	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
2356	Ffkcbgek.exe
2356	Ffkcbgek.exe
2704	Fmekoalh.exe
2704	Fmekoalh.exe
2592	Fjilieka.exe
2592	Fjilieka.exe
2740	Filldb32.exe
2740	Filldb32.exe
2528	Ffpmnf32.exe
2528	Ffpmnf32.exe
2916	Flmefm32.exe
2916	Flmefm32.exe
1748	Fddmgjpo.exe
1748	Fddmgjpo.exe
2660	Fiaeoang.exe
2660	Fiaeoang.exe
2172	Globlmmj.exe
2172	Globlmmj.exe
1772	Gbijhg32.exe
1772	Gbijhg32.exe
1564	Gicbeald.exe
1564	Gicbeald.exe
768	Glaoalkh.exe
768	Glaoalkh.exe
1516	Gangic32.exe
1516	Gangic32.exe
2120	Gieojq32.exe
2120	Gieojq32.exe
2420	Gldkfl32.exe
2420	Gldkfl32.exe
2240	Gbnccfpb.exe
2240	Gbnccfpb.exe
1780	Gelppaof.exe
1780	Gelppaof.exe
2808	Ghkllmoi.exe
2808	Ghkllmoi.exe
2348	Gkihhhnm.exe
2348	Gkihhhnm.exe
1180	Gacpdbej.exe
1180	Gacpdbej.exe
1848	Ghmiam32.exe
1848	Ghmiam32.exe
1464	Gkkemh32.exe
1464	Gkkemh32.exe
992	Gphmeo32.exe
992	Gphmeo32.exe
2296	Gddifnbk.exe
2296	Gddifnbk.exe
1860	Hmlnoc32.exe
1860	Hmlnoc32.exe
2056	Hpkjko32.exe
2056	Hpkjko32.exe
2584	Hcifgjgc.exe
2584	Hcifgjgc.exe
2632	Hpmgqnfl.exe
2632	Hpmgqnfl.exe
3004	Hejoiedd.exe
3004	Hejoiedd.exe
2636	Hnagjbdf.exe
2636	Hnagjbdf.exe
2472	Hcnpbi32.exe
2472	Hcnpbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Fiaeoang.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gbijhg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Fddmgjpo.exe	Flmefm32.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Kdanej32.dll	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Ffpmnf32.exe	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Fiaeoang.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Filldb32.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Fmekoalh.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gbijhg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	1164	WerFault.exe	66

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll"	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjilieka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2356	2036	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2356	2036	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2356	2036	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2356	2036	bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2704	2356	Ffkcbgek.exe	29
PID 2356 wrote to memory of 2704	2356	Ffkcbgek.exe	29
PID 2356 wrote to memory of 2704	2356	Ffkcbgek.exe	29
PID 2356 wrote to memory of 2704	2356	Ffkcbgek.exe	29
PID 2704 wrote to memory of 2592	2704	Fmekoalh.exe	30
PID 2704 wrote to memory of 2592	2704	Fmekoalh.exe	30
PID 2704 wrote to memory of 2592	2704	Fmekoalh.exe	30
PID 2704 wrote to memory of 2592	2704	Fmekoalh.exe	30
PID 2592 wrote to memory of 2740	2592	Fjilieka.exe	31
PID 2592 wrote to memory of 2740	2592	Fjilieka.exe	31
PID 2592 wrote to memory of 2740	2592	Fjilieka.exe	31
PID 2592 wrote to memory of 2740	2592	Fjilieka.exe	31
PID 2740 wrote to memory of 2528	2740	Filldb32.exe	32
PID 2740 wrote to memory of 2528	2740	Filldb32.exe	32
PID 2740 wrote to memory of 2528	2740	Filldb32.exe	32
PID 2740 wrote to memory of 2528	2740	Filldb32.exe	32
PID 2528 wrote to memory of 2916	2528	Ffpmnf32.exe	33
PID 2528 wrote to memory of 2916	2528	Ffpmnf32.exe	33
PID 2528 wrote to memory of 2916	2528	Ffpmnf32.exe	33
PID 2528 wrote to memory of 2916	2528	Ffpmnf32.exe	33
PID 2916 wrote to memory of 1748	2916	Flmefm32.exe	34
PID 2916 wrote to memory of 1748	2916	Flmefm32.exe	34
PID 2916 wrote to memory of 1748	2916	Flmefm32.exe	34
PID 2916 wrote to memory of 1748	2916	Flmefm32.exe	34
PID 1748 wrote to memory of 2660	1748	Fddmgjpo.exe	35
PID 1748 wrote to memory of 2660	1748	Fddmgjpo.exe	35
PID 1748 wrote to memory of 2660	1748	Fddmgjpo.exe	35
PID 1748 wrote to memory of 2660	1748	Fddmgjpo.exe	35
PID 2660 wrote to memory of 2172	2660	Fiaeoang.exe	36
PID 2660 wrote to memory of 2172	2660	Fiaeoang.exe	36
PID 2660 wrote to memory of 2172	2660	Fiaeoang.exe	36
PID 2660 wrote to memory of 2172	2660	Fiaeoang.exe	36
PID 2172 wrote to memory of 1772	2172	Globlmmj.exe	37
PID 2172 wrote to memory of 1772	2172	Globlmmj.exe	37
PID 2172 wrote to memory of 1772	2172	Globlmmj.exe	37
PID 2172 wrote to memory of 1772	2172	Globlmmj.exe	37
PID 1772 wrote to memory of 1564	1772	Gbijhg32.exe	38
PID 1772 wrote to memory of 1564	1772	Gbijhg32.exe	38
PID 1772 wrote to memory of 1564	1772	Gbijhg32.exe	38
PID 1772 wrote to memory of 1564	1772	Gbijhg32.exe	38
PID 1564 wrote to memory of 768	1564	Gicbeald.exe	39
PID 1564 wrote to memory of 768	1564	Gicbeald.exe	39
PID 1564 wrote to memory of 768	1564	Gicbeald.exe	39
PID 1564 wrote to memory of 768	1564	Gicbeald.exe	39
PID 768 wrote to memory of 1516	768	Glaoalkh.exe	40
PID 768 wrote to memory of 1516	768	Glaoalkh.exe	40
PID 768 wrote to memory of 1516	768	Glaoalkh.exe	40
PID 768 wrote to memory of 1516	768	Glaoalkh.exe	40
PID 1516 wrote to memory of 2120	1516	Gangic32.exe	41
PID 1516 wrote to memory of 2120	1516	Gangic32.exe	41
PID 1516 wrote to memory of 2120	1516	Gangic32.exe	41
PID 1516 wrote to memory of 2120	1516	Gangic32.exe	41
PID 2120 wrote to memory of 2420	2120	Gieojq32.exe	42
PID 2120 wrote to memory of 2420	2120	Gieojq32.exe	42
PID 2120 wrote to memory of 2420	2120	Gieojq32.exe	42
PID 2120 wrote to memory of 2420	2120	Gieojq32.exe	42
PID 2420 wrote to memory of 2240	2420	Gldkfl32.exe	43
PID 2420 wrote to memory of 2240	2420	Gldkfl32.exe	43
PID 2420 wrote to memory of 2240	2420	Gldkfl32.exe	43
PID 2420 wrote to memory of 2240	2420	Gldkfl32.exe	43

C:\Users\Admin\AppData\Local\Temp\bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bd1dabdeaae302eb206c68de10c89600_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\Ffkcbgek.exe
  C:\Windows\system32\Ffkcbgek.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\Fmekoalh.exe
    C:\Windows\system32\Fmekoalh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Fjilieka.exe
      C:\Windows\system32\Fjilieka.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Filldb32.exe
        
        C:\Windows\system32\Filldb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:992
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        40⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 140
        41⤵
        Program crash
        
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
59KB

MD5
d18db508f133be0a72d36f46b839de69

SHA1
ac4a41c74423b0139d87919f1a40069ce9573b52

SHA256
1df22a38bc2797c131e480c866f3b4948a852abf0baa832f01318acd81bcc121

SHA512
b98318c6f43a4e972d89430ad784b2dc0128a5b319a3b786299fbb6d91114cff1db917d3e5204ac3fc2745ed75ad2edec1356195ca8799d1b303d2bef03ca08d

Download Submit
C:\Windows\SysWOW64\Filldb32.exe

Filesize
59KB

MD5
1ff881dbb75bc8853755418d1a4baa0e

SHA1
39dae83c184fac407e4198b503d1b6a2b9f09753

SHA256
e88c959c2231c07f40f5c3152e8044004ad3d4638b319b3157280dd26bbc490f

SHA512
d8237d492a9afb05b5b1eb8a8bd4f989e84b8bbd0792a2bcdb8728775300fd27a602c08ee036682876769bee4095a4284204dfd086eeda1fa35a112829bd6ab1

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
59KB

MD5
8ee59ebf7cfb2e3654b56fc148ae8700

SHA1
d8493c555efd8c55adcacab2b18d25fdc3664022

SHA256
101b02ec853a7e8913edd4dcca1380d6dcb5e6ae27540a517e26f4b9ba969d04

SHA512
c2d97311ddbdd66c193bfaf1fb7479bfd137ab1452319cc6c1c81f635736a8fb310789c04ca0b01072d672f110a5229657d74879fe06cc8dcb875a9bc8b326d6

Download Submit
C:\Windows\SysWOW64\Fmekoalh.exe

Filesize
59KB

MD5
163070299176a76dfa0bfff7a549f244

SHA1
f9069f4b8c6ffe6f4d9236bc80303bf40c628a9f

SHA256
f3cd56c4a94b1ec1596dde864c3bb563b136cdace85761aa209c15dae100ce86

SHA512
e0deee8c39f8ae723fd11936e47f1ffee820ab1ada624da98dca0f9abb2179fcb59eba1143bb7466639b89a58679371aa6cbd230fb0796cc00dfcf6fff8ac281

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
59KB

MD5
1aa67bca433fde40b341074bcefd0972

SHA1
3631fbc2114b5a14ace3cb82948f08b71bd62e51

SHA256
5a2f4de7fd900e278e059c96b1c10e753eca12b1ad90f60a2af9204cdba3909c

SHA512
fb9956e1d22b0e6afebadce8878389f2232f1a54f4cd452e53196c86f5e2448f41b0351f30fcea8f10f78055cdae532f7f655555f535d593a558493e95de63ec

Download Submit
C:\Windows\SysWOW64\Gddifnbk.exe

Filesize
59KB

MD5
d39364dcd550c2bd2bb42dc29f758fbe

SHA1
33eeba0447d7eb48e2dff84a3799500642b6ecb2

SHA256
801d677f26512aefec783a931599ba55e28b9591d54d5f76a1ce5e8c575de664

SHA512
bdd6047e00951a705138a66700dd769bb5c3f3d975f11c26e63a6493a90d20444dcd8ef88a7869b4cf40ff2856ea60b6ce58b3830997e2fa75fb4db690729915

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe

Filesize
59KB

MD5
c39c831c0a4d82bd90b7514f4458e9a2

SHA1
f58bd340d6d6e12ac61dd74c18a1f24c140e1b0c

SHA256
f9d09ab6e85eacbd2e602ad7ca05945d2815c9ad87c7a8562228fedad1c0380c

SHA512
bf9d8d4f642433211936772b798bdfe474ce943ba3e4a171112dc1b46bcbb56505c3fe9171ce33e7213ead3fd5cc4f444c05ebcbfd971183eac3dfbb03a0369d

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
59KB

MD5
bdde98528103ea9cca78809224cd2709

SHA1
9bb69e1d91986af16ae6171e56789fa649b9b8a8

SHA256
3849ac9ef98a90b35d3e5e20b3bb11b3955126891da0f14a5845baaf32195430

SHA512
500a7e3fd70d68729668e892f0b72e15841f60f3fb58d9897f8414c7fdf2c4938a45acb48e588c945738e708dec05d6c6ada96ce75a40f1eaf16a8e8412ee093

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
59KB

MD5
e93740ac1175a3163d6aac45e4116f33

SHA1
00dd099dde239eaa373c470aa376411f2095c2b8

SHA256
a61c37406db1dc96e62a1eb53f2c35859c17430bc093d7f3cf21144e4fdcdcf3

SHA512
4c1d3bd581c5255828e4cf866ca185e68312da4ae950b1580038debeffe985459d047a5c4dbf869b85e3b79deee9668e520014e0f4665b9db19c1a09c5d768c1

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
59KB

MD5
cbeeca619df97f727f106cc66a46bed7

SHA1
b895c44b78a0f6635720e24961f87734a90f091b

SHA256
668629ffd7f34b505277962bc896235f0a2989794ae56ebbd2be0395ed71fb93

SHA512
9a4396cdbfc549e9a32f506719386aca2223910659b130245827156d53d2a37a4e97bb0984c34564bd963b6550d2c2e6de3312c1b94268074cafcab9f3747da3

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
59KB

MD5
7a585dca234d89df19d8a5809bee082a

SHA1
cf23be644a9d7ade527f4825582f05f33741d1f9

SHA256
f5a302a8ba576304e3cb3527c68dcfe7caf4f4b407a85940b861a4db2ecae08c

SHA512
1beb030663d85847edcb7b63fe760713086f29026faf584a0dadce8aff32b14dbf1ba3b48a16a5698103ee998fea50f2273eec367f252cbae1ee044d0cf23c21

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
59KB

MD5
9168495675dce17875124ea008d189f9

SHA1
6d8ff8063a424906bc23b47e4debecbc97112d8a

SHA256
ad379a497b30122629d6f331ce3bc7bab106d4ce5f4c7bd83630d20b09b8c4db

SHA512
78428db26c1dce19e74333afb8df413653d992a00a42aae8578c0a87b1806c7de5ccb7316461e9db48dbef70322736794e9bf60b24a2528517a25865cbde84e7

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
59KB

MD5
5c3dfbcf5cebb83a7350080d9e691bdf

SHA1
6e9d66c6eac96ac596d7944839c63a1b28a929e7

SHA256
8ac6823325e361a1f3d7396d04c1638f6a413f58ac5eecb5d56291b2c36fb0e3

SHA512
41f7bd1aed01e2e5635f9259f45c18deee8510175fcd3a7daaf6082df709b965ac252672a88dc267498cfb79d6521eb8aac4bff6ff63dfc1e9b7cd2233cfb770

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
59KB

MD5
34d445cb4c8fabf8de9317981f25395e

SHA1
ffa9da31736b220adbba7e7a606dbbdc3bff3f58

SHA256
9add55498fcacc9078ece87ff7e7f583009cbc285f41e0e0b3a87a0f324fa28f

SHA512
45ff63ae4d93c3b5456ab6ea67fc7a5ac9c795015d2af23da4c2008e099943515e279e55429ac577bfdfd27cf684a9e5244b5f743be20953d5e5b886a4757f04

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
59KB

MD5
5602bd4bedd357dcd8eeb328fd65a2e8

SHA1
932e87cbe53583b0b2cfde50aa9f25d6d17916b2

SHA256
c6d2fe0494814ca2b6466bc7bd22c34e23ea59df7eab140f69506e5e88288549

SHA512
172482f68c27d48f16a107dba014e1a296d574a082c31bc6651f782f71bddef5d5b129d90e97d5c529b7c01fb4a667e0a33514ebcf252a8dc3515ceaebba6ed5

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
59KB

MD5
60b1f791cc139045ae99614924b76902

SHA1
04306338b8a7457d0ed749472afada9b04032caa

SHA256
431cade27ec9d8e945b9179fa061131a515d3f833c150a109d5fd8549307d816

SHA512
f32e978bc2c0507e2e7f2c4a82bfacdf37cb6678214ddc7310f0687c865c0f3316100006696f7fb71162332e002b2632984202b81694c51951dd0b145faf1e15

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
59KB

MD5
753153143100df599ab90c09874ca88b

SHA1
1e1e5cb73455f45586a78d202a5a2bc67c6ea6a2

SHA256
3cdcf889808ca6b1b0490ad1ad9ca75362b37bc99f5c774750a8eaa24c05a371

SHA512
b4eab7d5ee96b7f5410fe7f0876feb79c19466a1485b1ae192868dbb22a1c0f129da2f18488d9533e9c1795f88be8723cc87c02fc78733c290d79e3e5453965a

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
59KB

MD5
2eb1ea24f9f43b1855f93d5bf1d723f3

SHA1
e5f7e68fffaba85b9e4e6cb0800575cfe0af9002

SHA256
c77b8afd4a20fa8588640e362f98261b997961a5167adf61701506b9348587dd

SHA512
457d4cd1b750ad823e52aa929cd37a718ba44c33a33482ae038b1fa1146212636a5dc1721649a7e094b2c167df1cecf51dcc626573a20fd1fa9d45a14949ece4

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
59KB

MD5
ebf9c6603241b02d9291dada6b4e7622

SHA1
1ea784eb8fa6b0dac69922d7912ea96b15c0625c

SHA256
bde823c2226a15f1b33dc8b0de0ffbb0fb5797d5f4e9ab50a8bfb81ea2aee8b6

SHA512
7356cc9450ef6840d27c0f157080c6f7958ae2e5b38c45d289810fb9ec6b97d96f331733c092b239159b5f50121e22a4947d3497653dfd86b432886e3e03dbfd

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
59KB

MD5
c204ddfe80b8bf973cc5ab36306d853b

SHA1
d1ae4cd90a32ce1e0746dce4a23806069cde71d8

SHA256
bfce7b1e0875e413c206bf99568901bfae87e1646ee073b5bec726cfa7e3b6ff

SHA512
5b066eece2061f540059ea56eda441a95a4c62ce96a5822ff4603ac653c0d417feca6c1c6998100ac9d889e448ba4247b5ff8e6e45eb04c8e9684556aad044d5

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
59KB

MD5
4679eea93883fe2056c37904e07a1058

SHA1
da0f90fac40cf15c5866f222cfe5567abf1a6962

SHA256
aab5db56b683b03bb7eb9de61846daefd14ebe91275f1cf0bab02648054c0df4

SHA512
ce28a5e52154fadf43c7d125b033923c3cdccdf41f96d0976e4ccac38b2150c4f29e4ae7de1dc796c08161e176d002e4d95ebf76a9dba28505f99d81d8686976

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
59KB

MD5
84cf715f98df204325362f2bb3509c3d

SHA1
10d634393a9127defe5dc6e43fc2b4b706d687ef

SHA256
e68826d6410a4d258901480c0b0a866a13d485e58946ae2e0f52d5e2e0202fea

SHA512
7470554cec790ab50c6978c96d5647e7ec6c87c4240e4976de81b72a9a29d2dfc7139da38a5dc5f87efa241e13a4fccc0496a28850051677aa2f88472e360e26

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
59KB

MD5
2de6d0390f41be5c822739071e445f55

SHA1
34357bfb69b6dc59e13902e6ae1761bd426f77b9

SHA256
c1bb87433c0ec67de9fe258702466499322fb2fef3f6dc0147a87c678d6f6362

SHA512
e2398c133ec7d4f495360ef6be1d149baa568cdec3e7587cd8f751ac2a4b3ae4535307390c3d9a477d64612c8c3cee20b7c50b871390d41a33876a4de7ec7ace

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
59KB

MD5
09664182dea4a9fe807b7a396dd22c32

SHA1
45e9509a79484691535a95ffeaea2810ccb3e7b2

SHA256
bff09cdfcf6f52afce82113a8ff098adfbd525258ae32f4121efabcc36fd08b7

SHA512
4f97857379f7697c2cc41756dd1ffdc62ec8683ce0cf5db2a745bf80c36ca96fda71e0f6f4b0b548276c27abc9a4c9b0f93b19f0fa5b13ddbdf869f44fdaae26

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
59KB

MD5
ed6cd533844cba363a909c895e03a036

SHA1
217848cb349a7d4e1f03555520aa79d58cb120f0

SHA256
54886403fa68f8cfba02bd714ece892c20877b4258d7917ae4093885fcf9bb74

SHA512
520a126fefd9c2bb574c8ff1aee5a686aa7fc2468665fd8de8f516943661e1a325fdcca79d9954e7cb0e6d40881c52e93b4307ee78499ff2b43545171bc5af8e

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
59KB

MD5
8b0e3e445bca1e2afe226971f1df8f1e

SHA1
846bd3a6fd8e463df7dcffc35fc5c5bfc5cdc66b

SHA256
7f41c8819e620c22c32e599bada72d3d34383c1fad6e440a45a0613e8e60ded3

SHA512
0c941470c50d3cfd5e4b579211f76c769803e3025227c29152794b6fa6670f2848196b0be4e703b0e581380a769a23e360cc8a0f0c098d9a04b3be6a46ee3016

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
59KB

MD5
d3391aeae9ea3101b1733c8419349c8f

SHA1
bb98778b57d94dbe6942c4cf15d6cd2172117f77

SHA256
13bc0d32a3eb41864b10ce764e2aa38bbba428d7ef36877849d4cab8c2adf3c3

SHA512
0ae035b028eb0218d56fed956130a4f05d522a11a3bc23823704f831ef2a191e88059cfe3cddca99aa9604034750f68bd0e784c6bb1479b8e1b927e449a80d76

Download Submit
\Windows\SysWOW64\Fddmgjpo.exe

Filesize
59KB

MD5
79dabfd77358cedc85b0e0ee197c95e3

SHA1
d7b73feddfb467f4e8cd1807f690a856dd3f656c

SHA256
da1ec2efcbbee22656992d11498aa2da4f4dc07866a91aeda8b3f3ed28c82afd

SHA512
a9449fe8dc52a829c8421fe3ad91d98c3e424e5120228b85f28329bfb08e422b00fdcd10874f93233f45a119acd481e8341224695906737963240c76f61163a0

Download Submit
\Windows\SysWOW64\Ffkcbgek.exe

Filesize
59KB

MD5
67020d06400031f9bc48571f7cae3fdb

SHA1
166d5693f7248ba4fc8a225d0a929a90a757fca9

SHA256
0adb2df4dcb985a04c80c3452d6718a6d598869aa67c3056352043063843d992

SHA512
bee0b2b854158e1be7b2f2992542e4a66d6cf2247a1942c5bfbd0f842c53b7d5d0e36d270f397bbc237d1f6c3aa3cca3838b69c0e8dce9712e86caf99c1e344c

Download Submit
\Windows\SysWOW64\Ffpmnf32.exe

Filesize
59KB

MD5
2f2f2bdd6121caf9371caa84316eec9e

SHA1
eef57ef6a9f5436534537eaa3b03311f07ff408d

SHA256
b69eee998ccef1b285597d3964424a6701f4e9c944832a54779f65c5e357131c

SHA512
6570b48ae70ce1d5ff07060fd6bece7e9b708a0c5402b18610255cbd0e829b82002825fa5806a254895c69149cf3f06030b27ab2592a1d71313997db2f2afc17

Download Submit
\Windows\SysWOW64\Fjilieka.exe

Filesize
59KB

MD5
9375a72253d12c896e7889a3fd14b9f8

SHA1
012b42260bee4cf26e8910c17056935556e8e159

SHA256
2a98fc1a485829e5ad685018b980e91946f87b23bac35f43ff8ca35ac8ca8cc9

SHA512
e6e4d474ebeccf3410857069ff127b52fe74987daf83692bfdff64ec75b5ee11944a65fc27658f8aed5cc6a5edca731f870aa8d14eb5b17750b3f4285a28aae8

Download Submit
\Windows\SysWOW64\Gangic32.exe

Filesize
59KB

MD5
b2b770f602f30b24e8f94371821abec0

SHA1
2f8b0920ad8b6ad6bec7c5bfe0834fd9f40fdffe

SHA256
00a84e504a9ed8895f3dc3d174411c2ad29380b4cb4d6a29af226266b47f7125

SHA512
44dcb718765fd730486b98fdf70c1dad61bdbc25ebb3a16771e87df00f319b54f61863700ca2fe0cefdeb17c6f4bcbad697f5664dd71f229573b2106a9f6667b

Download Submit
\Windows\SysWOW64\Gbijhg32.exe

Filesize
59KB

MD5
e83a73d3421df9778e2bc1c01ef611f8

SHA1
d4e4c3ea67459180a49ab64130499af1bc68e775

SHA256
f382731696568d4eea2b7ea80d61032aa86ec7beb25e8e00966040ee7530c163

SHA512
be4478d304393d41a4a4ac871ea140d42fccc578f98e5affe0e0d81cb6fd782c17486d4c8c68a31be3606797ba5d5caeb0572171937abf09287391bdb1c705a9

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
59KB

MD5
2c0a662d0a412b36af1c681ad82f5ca7

SHA1
315773186701de9a80420055b589a165216e36dc

SHA256
40a85c0641cc893bb96e643eebc4b9e3a4959ff9afa4b626ebddea56ec49a389

SHA512
628b3c882cec411990449fbcd18a83a673b0aeae05c153504298578f04412568940ec68118717571d55f6a93f1b9e77f2d4c85142d6d4071b2dc8d6f2073c0b9

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
59KB

MD5
d5768cd373f957f134a9baa3a7b230c0

SHA1
e44b72f4425337dce4b165551e06ecc403239c0b

SHA256
bdd879507b92f8696dda3d38b66870f389465b16ff5e956c8630ae143379a620

SHA512
fc997a708ca7c68973fa8fd3d466c7b8345e5461b2c70f20be4f8c8b7c567bc80862d9a8bebb55364b9e8de26021599517bc79fc7f1fe7a984c854bbfa2e33ad

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
59KB

MD5
616fe5bda899c67f61932c1d520a6e5d

SHA1
31ce6a000f93717093de37c27e2cfef7f042bb1f

SHA256
f91504e5889b3c6ba6564d9138663ce1ef254bc0b85ec1b66dd59d85312418bd

SHA512
825876c604562d334ccbb1c42b76569133c777a61c3cede0eecb9eb99cd014cc599a17f1793af024f92f52ff99183d1c6365de46152e5485d30330ded71089b1

Download Submit
\Windows\SysWOW64\Glaoalkh.exe

Filesize
59KB

MD5
538576b6aa2da14a45b72d613c2faea5

SHA1
e8b9cec0dbbf9c1653c0bed658ac2d593468ff7b

SHA256
24c6096f2174dc25510958a1fd0a0e7fc7e58bf294da5ce2dac1d7030164a684

SHA512
ef3509fa12b342227469374fee503be8d3bd83e42ed84e5924fb5b6520a50623f020b46a547bb57605ba9582b37a1f62cd67b2a56bfee6af9326a025516fd767

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
59KB

MD5
adb7e444c7494b1f5dedc7355fc9aedb

SHA1
5736f34cc143ff039bb008cfb47955fb9039a825

SHA256
9e0280a4f307f6378a348018135a85bc005b3b3b71436e144854d1236549b06f

SHA512
54d83c847568e8ba3f0a1639d206534fcd5953911517c84ff660d74cd4e37fca69ce055dce5b9bb261627b92274028ce26dff31fd70245e7e1df343de42a6ae6

Download Submit
\Windows\SysWOW64\Globlmmj.exe

Filesize
59KB

MD5
6a95cf52d8a96cdf7bc8edda9dbd74aa

SHA1
753cde4294a5694844c329f5e50ef10e0b2f05cb

SHA256
e92884ddeea7a88c4c307e33be8bf6e37b58b9cf9292331b94954695ae81b60c

SHA512
052380b093adddf11d47f1ace81054e8390a0c587a4105757f79acc87dca0e7eda04066477e94a97393ee60f08df44e158d2d20e71e95756d16255e4508b1923

Download Submit
memory/768-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/860-427-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/860-421-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/860-431-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/992-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/992-291-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/992-290-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1164-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1180-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1180-262-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1464-279-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1464-280-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1464-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-468-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-466-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-147-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-155-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1604-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-395-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1604-399-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1748-462-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1772-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1772-465-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1848-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1848-268-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1848-269-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1860-311-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/1860-312-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/1908-419-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1908-420-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1944-441-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1944-442-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1944-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-12-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2056-313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2056-327-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2056-318-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2120-193-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2120-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2120-469-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-464-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2240-471-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2296-309-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2296-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2296-310-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2356-456-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2356-26-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2356-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-210-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2420-470-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-452-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2448-453-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2472-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2472-377-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2472-376-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2528-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2528-460-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2544-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2544-411-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2544-415-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2584-333-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2584-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2592-458-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2592-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-351-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2632-352-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2636-374-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2636-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2636-373-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2660-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-463-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2704-39-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2704-457-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2704-40-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2704-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-68-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2740-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2808-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2808-236-0x0000000001F70000-0x0000000001FAA000-memory.dmp

Filesize
232KB

Download
memory/2808-248-0x0000000001F70000-0x0000000001FAA000-memory.dmp

Filesize
232KB

Download
memory/2912-391-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/2912-392-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/2912-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2916-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2916-89-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2916-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-354-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/3004-355-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads