a48b8df10485b9cb07013c52595debb53ff68f23c89087c3c14f87f4601e35ab

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 06:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
Size

90KB
MD5

c3c5b42a397d957d8eb2c69528ae2100
SHA1

15e838136e31f56125342f820fec24f028e45264
SHA256

a48b8df10485b9cb07013c52595debb53ff68f23c89087c3c14f87f4601e35ab
SHA512

747571b12a7b2964a559e178055ee2e9a354b177fd85b87f5ac7e131a988c01c9ade15b261d0bb82d82c2df88aeab9e7950b1743138aec20a40cca4ef8db06cd
SSDEEP

1536:wZR4ER+S2/paPUYajmzyYaca5yyvJwcn51tXXJxxBGCu/Ub0VkVNK:Q4raPUYtyYda5RvbrtHJHBGCu/Ub0+NK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkihhhnm.exe

Executes dropped EXE 42 IoCs

pid	Process
1788	Eiaiqn32.exe
1804	Ejbfhfaj.exe
2760	Fehjeo32.exe
2776	Fjdbnf32.exe
2940	Fejgko32.exe
2532	Ffkcbgek.exe
2584	Faagpp32.exe
1344	Fhkpmjln.exe
2588	Fmhheqje.exe
2556	Fdapak32.exe
1072	Fjlhneio.exe
1032	Flmefm32.exe
264	Fbgmbg32.exe
1180	Feeiob32.exe
792	Gpknlk32.exe
1244	Gbijhg32.exe
1620	Gicbeald.exe
444	Glaoalkh.exe
2360	Gangic32.exe
344	Gieojq32.exe
920	Gbnccfpb.exe
3020	Gaqcoc32.exe
3040	Gkihhhnm.exe
3016	Goddhg32.exe
2068	Ghmiam32.exe
1752	Gkkemh32.exe
1568	Gmjaic32.exe
2916	Gddifnbk.exe
2736	Ghoegl32.exe
2832	Hahjpbad.exe
2544	Hpkjko32.exe
2740	Hnojdcfi.exe
2548	Hckcmjep.exe
1908	Hlcgeo32.exe
1952	Hpocfncj.exe
2892	Hgilchkf.exe
2188	Hcplhi32.exe
2448	Hjjddchg.exe
2216	Hlhaqogk.exe
984	Idceea32.exe
2400	Ihoafpmp.exe
2328	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2088	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
2088	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
1788	Eiaiqn32.exe
1788	Eiaiqn32.exe
1804	Ejbfhfaj.exe
1804	Ejbfhfaj.exe
2760	Fehjeo32.exe
2760	Fehjeo32.exe
2776	Fjdbnf32.exe
2776	Fjdbnf32.exe
2940	Fejgko32.exe
2940	Fejgko32.exe
2532	Ffkcbgek.exe
2532	Ffkcbgek.exe
2584	Faagpp32.exe
2584	Faagpp32.exe
1344	Fhkpmjln.exe
1344	Fhkpmjln.exe
2588	Fmhheqje.exe
2588	Fmhheqje.exe
2556	Fdapak32.exe
2556	Fdapak32.exe
1072	Fjlhneio.exe
1072	Fjlhneio.exe
1032	Flmefm32.exe
1032	Flmefm32.exe
264	Fbgmbg32.exe
264	Fbgmbg32.exe
1180	Feeiob32.exe
1180	Feeiob32.exe
792	Gpknlk32.exe
792	Gpknlk32.exe
1244	Gbijhg32.exe
1244	Gbijhg32.exe
1620	Gicbeald.exe
1620	Gicbeald.exe
444	Glaoalkh.exe
444	Glaoalkh.exe
2360	Gangic32.exe
2360	Gangic32.exe
344	Gieojq32.exe
344	Gieojq32.exe
920	Gbnccfpb.exe
920	Gbnccfpb.exe
3020	Gaqcoc32.exe
3020	Gaqcoc32.exe
3040	Gkihhhnm.exe
3040	Gkihhhnm.exe
3016	Goddhg32.exe
3016	Goddhg32.exe
2068	Ghmiam32.exe
2068	Ghmiam32.exe
1752	Gkkemh32.exe
1752	Gkkemh32.exe
1568	Gmjaic32.exe
1568	Gmjaic32.exe
2916	Gddifnbk.exe
2916	Gddifnbk.exe
2736	Ghoegl32.exe
2736	Ghoegl32.exe
2832	Hahjpbad.exe
2832	Hahjpbad.exe
2544	Hpkjko32.exe
2544	Hpkjko32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Fjdbnf32.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fejgko32.exe	Fjdbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Goddhg32.exe
File created	C:\Windows\SysWOW64\Kdanej32.dll	Fejgko32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gangic32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gangic32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Qdcbfq32.dll	Fjdbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Fjlhneio.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Ffkcbgek.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Ambcae32.dll	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Lgahch32.dll	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Ikkbnm32.dll	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Ejbfhfaj.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Flmefm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2996	2328	WerFault.exe	69

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll"	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hgilchkf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1788	2088	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe	28
PID 2088 wrote to memory of 1788	2088	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe	28
PID 2088 wrote to memory of 1788	2088	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe	28
PID 2088 wrote to memory of 1788	2088	c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe	28
PID 1788 wrote to memory of 1804	1788	Eiaiqn32.exe	29
PID 1788 wrote to memory of 1804	1788	Eiaiqn32.exe	29
PID 1788 wrote to memory of 1804	1788	Eiaiqn32.exe	29
PID 1788 wrote to memory of 1804	1788	Eiaiqn32.exe	29
PID 1804 wrote to memory of 2760	1804	Ejbfhfaj.exe	30
PID 1804 wrote to memory of 2760	1804	Ejbfhfaj.exe	30
PID 1804 wrote to memory of 2760	1804	Ejbfhfaj.exe	30
PID 1804 wrote to memory of 2760	1804	Ejbfhfaj.exe	30
PID 2760 wrote to memory of 2776	2760	Fehjeo32.exe	31
PID 2760 wrote to memory of 2776	2760	Fehjeo32.exe	31
PID 2760 wrote to memory of 2776	2760	Fehjeo32.exe	31
PID 2760 wrote to memory of 2776	2760	Fehjeo32.exe	31
PID 2776 wrote to memory of 2940	2776	Fjdbnf32.exe	32
PID 2776 wrote to memory of 2940	2776	Fjdbnf32.exe	32
PID 2776 wrote to memory of 2940	2776	Fjdbnf32.exe	32
PID 2776 wrote to memory of 2940	2776	Fjdbnf32.exe	32
PID 2940 wrote to memory of 2532	2940	Fejgko32.exe	33
PID 2940 wrote to memory of 2532	2940	Fejgko32.exe	33
PID 2940 wrote to memory of 2532	2940	Fejgko32.exe	33
PID 2940 wrote to memory of 2532	2940	Fejgko32.exe	33
PID 2532 wrote to memory of 2584	2532	Ffkcbgek.exe	34
PID 2532 wrote to memory of 2584	2532	Ffkcbgek.exe	34
PID 2532 wrote to memory of 2584	2532	Ffkcbgek.exe	34
PID 2532 wrote to memory of 2584	2532	Ffkcbgek.exe	34
PID 2584 wrote to memory of 1344	2584	Faagpp32.exe	35
PID 2584 wrote to memory of 1344	2584	Faagpp32.exe	35
PID 2584 wrote to memory of 1344	2584	Faagpp32.exe	35
PID 2584 wrote to memory of 1344	2584	Faagpp32.exe	35
PID 1344 wrote to memory of 2588	1344	Fhkpmjln.exe	36
PID 1344 wrote to memory of 2588	1344	Fhkpmjln.exe	36
PID 1344 wrote to memory of 2588	1344	Fhkpmjln.exe	36
PID 1344 wrote to memory of 2588	1344	Fhkpmjln.exe	36
PID 2588 wrote to memory of 2556	2588	Fmhheqje.exe	37
PID 2588 wrote to memory of 2556	2588	Fmhheqje.exe	37
PID 2588 wrote to memory of 2556	2588	Fmhheqje.exe	37
PID 2588 wrote to memory of 2556	2588	Fmhheqje.exe	37
PID 2556 wrote to memory of 1072	2556	Fdapak32.exe	38
PID 2556 wrote to memory of 1072	2556	Fdapak32.exe	38
PID 2556 wrote to memory of 1072	2556	Fdapak32.exe	38
PID 2556 wrote to memory of 1072	2556	Fdapak32.exe	38
PID 1072 wrote to memory of 1032	1072	Fjlhneio.exe	39
PID 1072 wrote to memory of 1032	1072	Fjlhneio.exe	39
PID 1072 wrote to memory of 1032	1072	Fjlhneio.exe	39
PID 1072 wrote to memory of 1032	1072	Fjlhneio.exe	39
PID 1032 wrote to memory of 264	1032	Flmefm32.exe	40
PID 1032 wrote to memory of 264	1032	Flmefm32.exe	40
PID 1032 wrote to memory of 264	1032	Flmefm32.exe	40
PID 1032 wrote to memory of 264	1032	Flmefm32.exe	40
PID 264 wrote to memory of 1180	264	Fbgmbg32.exe	41
PID 264 wrote to memory of 1180	264	Fbgmbg32.exe	41
PID 264 wrote to memory of 1180	264	Fbgmbg32.exe	41
PID 264 wrote to memory of 1180	264	Fbgmbg32.exe	41
PID 1180 wrote to memory of 792	1180	Feeiob32.exe	42
PID 1180 wrote to memory of 792	1180	Feeiob32.exe	42
PID 1180 wrote to memory of 792	1180	Feeiob32.exe	42
PID 1180 wrote to memory of 792	1180	Feeiob32.exe	42
PID 792 wrote to memory of 1244	792	Gpknlk32.exe	43
PID 792 wrote to memory of 1244	792	Gpknlk32.exe	43
PID 792 wrote to memory of 1244	792	Gpknlk32.exe	43
PID 792 wrote to memory of 1244	792	Gpknlk32.exe	43

C:\Users\Admin\AppData\Local\Temp\c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3c5b42a397d957d8eb2c69528ae2100_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Eiaiqn32.exe
  C:\Windows\system32\Eiaiqn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\Ejbfhfaj.exe
    C:\Windows\system32\Ejbfhfaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Fehjeo32.exe
      C:\Windows\system32\Fehjeo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Fjdbnf32.exe
        
        C:\Windows\system32\Fjdbnf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\Fejgko32.exe
        
        C:\Windows\system32\Fejgko32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ffkcbgek.exe
        
        C:\Windows\system32\Ffkcbgek.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Faagpp32.exe
        
        C:\Windows\system32\Faagpp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3020
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        43⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 140
        44⤵
        Program crash
        
        PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fjdbnf32.exe

Filesize
90KB

MD5
19084affaca9525c8951a46e99b0b84e

SHA1
f36765b19247f89908df3b8cecc3a5527d8120f1

SHA256
b127ad06b5992c8787e2979960c140a16cac0f8366451a86237ea5a5920e3586

SHA512
62ed4a6777f88c00c6a27394183d42297fa46ba5691d6b42b3ca2bc7c19530deac7a2b7e59c61ed524569e4abd1835a276a89d89e8b7b98b1276dad3160231fe

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
90KB

MD5
a33388286ed7004b59976a4a1c20dd49

SHA1
ef1c7bf0c79798f63b1e4662e2dfc5e32bf71a15

SHA256
dbe39934806c7ef8e9483616860b783346cce9377c04b45317903d4652da9e00

SHA512
a48072b0b0e6e8a1ad419d72e0279b973de529d419a06923bc1e8c07b8cf16960aa131258ee27131d8a561de6a4ba84d2c1a04c7c147b17bf1f358ddf89e1c2e

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
90KB

MD5
bd0f35d46c490aab5ca00ffd37f26ddd

SHA1
9b0f82a72aa9b85879ecd3e1b36c1811542dc4b7

SHA256
64bf4b9773eef3b16a84b54e0b8e6511a22d0018ae20c9391bcaf21db8114dbd

SHA512
71904f7e956ca90fc90aa0191a50cd5f17bd970ff6ee057d29f2855090bd6a0f83da58bf2108525bdf0d0f49986132345bdfe9d5e1d0c3b5644e31eeb60d9251

Download Submit
C:\Windows\SysWOW64\Gbijhg32.exe

Filesize
90KB

MD5
8d2bc7b40e33c3423e33904520f799c8

SHA1
f90c793f1cd5c2d58fe3c5b52230f01cf7e71797

SHA256
169c914a09ee51ef373294bc3863f7369f4bb1c7456602eadbd63c4d542d490d

SHA512
0d64f8a02581d74861985699fddb773a1dd5c99555c0a63017a243f9febae4c1892e8351271c2315579c653a5e10ff65628fc120a7820343d0874bf89e09c541

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
90KB

MD5
462e6d7329136131ad42151008897d13

SHA1
58e04561101c9b406c8666c581b995d827c915fd

SHA256
972fdbbc7e14eed148269ab8254e85b9ace8165b048936435dbd824b05e3cce4

SHA512
15fa5dfacbd49a52a0afdb219b7a5843c5f22318a497a50342d8c727d1a2a2eab95f2c52c6603c8361dfb8ee2f62c1d641520debfb1a9b509124ca35df7efd19

Download Submit
C:\Windows\SysWOW64\Gddifnbk.exe

Filesize
90KB

MD5
08f38622c98f4513b92c41c92848b604

SHA1
90d57e4ff62f4509ca3764419018679293e3b477

SHA256
a23bf8d24e08f4ac1a3b221b330bd2440b640487e33203183fdfedab420ab330

SHA512
449644fbd0d0519b39b338f5e8a5a4683038afd484e4f17d1d61ce7f749bbec8c74228ecbc6696f2e22647ef489d0918d291c86e6d9d8b3f3264f09a9a09b1b5

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
90KB

MD5
684cd2f5b2e5259cb212f15185f8ea80

SHA1
0e87ad403e5d2db37aca2c7b86ca763f9d7626b6

SHA256
c06ff20e2d012faa1d513c7ffae102565d5c1e0eb31e9bbd93386a13a74faa18

SHA512
c83c96e2be54ed57bf38628aecc4ad11881e5cd9fcc51ae02c13838a6299962fc4a9784d707e2bed84fac2df5ddfc3647894353949044ac6b79c32346d4dab4a

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
90KB

MD5
51f176971a24bc618c1679f57fefbaa5

SHA1
eff5886073cf58ccba20879a031a112eb8ddc4a5

SHA256
58b9ed032169f351d493b823794f91e032f70594ac5046a5c88c0abdee4c0048

SHA512
4a58efff0c1187cf3de79f513a1a481e0cfa0de0e4bbec629352ee772a45fbbb5be232b30a4ad1d307c5f8852a20a64ad74d04c2fa5d813fe903c0f88b313e6c

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
90KB

MD5
a7f964bf2ad08e3a70961d05f6fd3c95

SHA1
73f5005a4c2d80ada2ca8bfeed30f107b2661825

SHA256
26e60d2e9bbef7f541a0a1b36131c464e0fbe6c2dda01aad508ec58b3fda626b

SHA512
d2f66163f2266a11cd2ff87339c77b1a78721844d3d691e86b3d4a2953f86617627ae4235cc6794bea5a267987cac393064ffe5aa748359f064425648fbb978e

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
90KB

MD5
9b3586a3ad4915cb67eb9a90bf87b2ff

SHA1
88d4ccbb9e5dfbe51da536e6b4c8a6cd18aa534f

SHA256
262448f2a6fb417bdfccae3ef81cf8384d03da056d25ff959ffe9add9132bc58

SHA512
958af7076a582c17d671569f9961466c99d284f4a3c46c37f8a586febf3d6874c95d13b44b74e5366a397a6eb39edeb8dd08974d6397944f210e6d12f0e39820

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
90KB

MD5
ba0c6986c95f19b8794e83e2736628e3

SHA1
c72b590811d0807bbbf2815e79878da648fba61b

SHA256
1905a955128ef6edee2d84cdd068441fc75adfa409fe759528c0e31c7ad4ad29

SHA512
fad605aee62a8650ada375f85c520daddf89af5b0cfe9c7f78aa4ecf99d2f25846bc29bb9309131b69712ac5d7a40ed75b4edb66066d75cb144ce54862f4e219

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
90KB

MD5
1acfd954b97d1eef6a70fa30390f48ae

SHA1
674055705a9d379d9f4e8e2f36f91960a0fc2f00

SHA256
4836d896f1105b87ab700f4782c9f9da85a75bb9871f73e30762e2c9529aea14

SHA512
30dc6f0780bfa6510d44b958cdab805bb002b83bb5cc75768bd500f789d1dca15cfef645cdaac1cd85d02009b7346b1ac01c78521a6e3a2b561517d3f8bc15e4

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
90KB

MD5
2b1d885ac028ddd419f10ce9c294f206

SHA1
7c61def6236f2678f3230bd8ffbe9bd3ac378bec

SHA256
dfd753f43a8964f825156fe3505115c62cf8803cf38d91137c24a1aa922edd9f

SHA512
625a13bc9a409701197316873942d87169c34458fee073fb5d1d7561ea74cfdd7a84f233d65678e3e2c93311c5d1508ee4f482a31a253d7bdb92e64d4f5b9dbe

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
90KB

MD5
ae364a9b3523bb9860a80856586f295a

SHA1
e9e303860f3fbce05b1bbe5704e570c4fc9960ab

SHA256
209337d54c90acc3b3b433d70dfb740ca44057c2c54ee12b44507d554852283d

SHA512
5b85de744949fd70ad8c80bce2fdec959c2231b27abc814704f7b38e9ecda03e951c1c9443ee72f34fb3f488150a7a44a30e3dd232c66bbe91dc0ea704f9ca0e

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
90KB

MD5
855a8067fdce7af15f853fade285c80e

SHA1
b06353a0b8d1334c3ff737188e7ed96834ca7615

SHA256
54b2e84d5aaefbd949ebddf3b5bc50ab510f77e44cd0f27e138c1b2f6bbc3ef2

SHA512
80ae06f1ba94a3512fa6c43adbc912e045fec55b9fb777cd2ad78da3613e789fc0e7e7f6336290a4c46165bdfc66c49154f75f13b38b188285fc91399b0eb6b3

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
90KB

MD5
8299469f39c7113e6e26d167b8963a8f

SHA1
074f4a3e641fdfaab844f5251470d98fda6ca905

SHA256
b2311ca98f562f23ef6e74119c82d8a7b8e86274ab24d5212b6d7e37377dd075

SHA512
a750a6f78c98816d11d83a27188924f998d0f304f0ee363135c20749c41f6aac78b1ec88f0353055327abd48c497f4611d1ec6c71daec22b1418b423bc3a416e

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
90KB

MD5
c7e352797f5b8bb1cdcf1e3bf2abf343

SHA1
ab435dd9583498c605cc75e2a0bdbd790f569648

SHA256
d31d1e4dd84f0817b1c20b4c07e6274b4c6a1413494b521f4b458f0e8f4484f7

SHA512
4caac90df525a17b9413757de828f9064777c209024bf7f599a4a65d4108a150a4cc130150e053758eb0d5d70d601aa1385ce9828e32be0b18fc4a241be8dcac

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
90KB

MD5
ed2af30196c7ccf78f977968254220a2

SHA1
391eb31b9bd222cec0bc9e4fe63700107ec56fd9

SHA256
047c9f751abd0e0d1d6d9786f84952fb47306be2b3991229bfbdc3cb0d150bd1

SHA512
2bf34211c6f99ec3936b7dea8f620b75d6185d2e5879a0f8d4842871b1f0eee6ab1d3cc0548e90c706906fc242eef092807aca1babbc5b22e88decc83a9f159c

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
90KB

MD5
2204cb2aee1238c85ea076afbf132309

SHA1
71d3b5b8d690ec91b5d14a4c4b81af04190ffa9b

SHA256
2b4ab3a602c3da75521038d068db16ff89208f57750974729ded6971cb484fc3

SHA512
eb3b0f2386210621940055d64d0d6da8c2aee403769fca9966a89ca7b88db137d835a0a1c30f80ccadd722b0cf5f9d374c43f95b8539b85f7bf767d852b72639

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
90KB

MD5
83ed8c70ebc7db48fef57fc3fc10ca9f

SHA1
a5618faddf89d245372cdcd21e3f20f9a1bb3d91

SHA256
55a8e61685f4a9caaef38c9faaec3fe08e2952e6a7d81330ecc529df94451e04

SHA512
61e44be4da65c2d6f76f9f9076d28f5ae8b93a2f0226671817209c88ffc6c759285c4ebc424a7a92597bcba9b6846319a7248a2cf5b1a33463a1be1d559d53d3

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
90KB

MD5
0a1c494fe8f2703809c05b9e1f73fb12

SHA1
ef96dd572aea2c8839f708a0ae532ae57db98c84

SHA256
ab5339213464ded37dd38adcee4dcc0983c105dd32909ef7376810f052033d20

SHA512
317c425cc5a0e1c29073b7c0a384ea5f9915d9426bba2c695f5107594e0cde7b27774f028ba3788791762993874892f6ff99a4eb67c2b32b419a9a5a15160e9b

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
90KB

MD5
5e25544a1f0a49a5a741f255ebdc468c

SHA1
c4c110d6954889cc0c6a140bc134834f02804c9b

SHA256
765c400105bc7bcfbb0ffdeabcfc58e8b0b6a2c5ce36eeb6a01b2abdd4d29a6d

SHA512
5d1fc9345c21b6b54749e297aeb56c1961f4644ce6d90ee0c53d513b05baf1b4774119851b2eeb22b012e3898d922cdc67fb03e0640dc1ad61ae8ed8eee3074b

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
90KB

MD5
912df7dd91467c44e1f908e930c5a7fb

SHA1
ff4375312b7d1ce4f7b3449d88a5279b6f7d86f1

SHA256
eb477500d6cdabe95b7c902b019cd6d1d867c3d4aad98a26b5c8920aa40a7267

SHA512
9b87a2e8799cb1012a4821210a4e35b396cf46b4f3aeb8610ad6153e5d487ccf445bda43b50d8322194b4e021c97de4b0eac0aeec04171c10f4f88aa3252ba81

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
90KB

MD5
7e825875ea519b86bd5f17418828e804

SHA1
2b98be4a63258150860cc87ab129852102ad34d0

SHA256
393973f6296933fabd2df638168acd7cd20e6437536567f807eae66c3eb458a3

SHA512
f10cf98e4bcc5f0f4c3d22c867cae143cc5e6111d962d0a38b8fd1b9dc594795cfc1146fff2d52d156de5921b4ca536f029fd725c4bd263c4421f56c89b8dd24

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
90KB

MD5
71afc9efd4635cbe22f363d172290d7a

SHA1
fc97e0671de741f446f90315f7aba6d957f78a72

SHA256
075a3cc925967705dc29fb451b3b46e3066e1fd5eb44156fffab2ada6d124917

SHA512
e151c4d55eea638486318358f936e3c6fbe0eac18bcbd2496487255e9363f1fd6838a52d5da9b8c320a978955c2ecdf69f013e248d6e2b8c78862c9514eaf77a

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
90KB

MD5
f79789392909654f1aff0c1c6eb2ebf8

SHA1
885f06a4ac32f582ae283c86a38701f19c424dbb

SHA256
7248f1e02f3484ce00fd8d0159e6daba7773bbb1eb3c2427113d0446fe572e01

SHA512
b20cc7b163224fb21f74e5010480e0e00624377ee8ff3068957a235991141b4c65b013c54816cd84318b6ec4d2dafac2051463dc96b09536d25b68381a075187

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
90KB

MD5
0d12c6018d7e764dc6db3ca5782843da

SHA1
32d308649fc51f436f1e3741ce1511956ca970f9

SHA256
6ee67c198774cb5a0f9474fbc8cf300f19bff013149d58b5d7b8a8120b6d04a4

SHA512
d364ff4b434b43e94a58ee812f7dd0ec828a87131fb607e23b4921234a58646d0480d84ec4db66959a537ddb975777223bbf595b7fac4e9f082828f4f3ad5d94

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
90KB

MD5
5cd58cc936b0f09762585156ef28bdf3

SHA1
666755ead48dc245dc34dfba54189e306fdba606

SHA256
b3ca67ca7af65f7d6b3ca03305d9a57b8258a0ca48eb21387c5fec387c24b224

SHA512
e92591b3102c88a4d314c13c3b18b4b0fb295c9cbeb0ff161d2a99ed0a6cfa5f9cf3e64d55e7bd9d440f06d1ea91d5fce574d9d83b07fa98dcea48cc3aef2046

Download Submit
C:\Windows\SysWOW64\Qdcbfq32.dll

Filesize
7KB

MD5
2b9ab7895d292b0a10b94736137eb75e

SHA1
d26ddd28c16d0b01581858a53adfb468016c1b2f

SHA256
e445dc625ee3f032ccdad5861dad3a43f74933bdf421c14f8a06e8f0a865e71b

SHA512
447c7c1f263e6c42848c2325e60920f6a074e783c32fb0266295d91f3c57821cb4a6ac1f930e71328efc587db3b0eddd0837f2e1942e055f9efa209306671429

Download Submit
\Windows\SysWOW64\Eiaiqn32.exe

Filesize
90KB

MD5
3a6e7a1e3ec023021dc2d9ea754cc838

SHA1
b87eb7bd9fedefe9e6097fab88e8013b06a8cadb

SHA256
54b852a60e4bd10c1022efb00b58fbeb6a277ba71a485db2c10c5f5d3e3b2749

SHA512
cd0ac5faeacf737d76026e9a760be4741c4afdd8fc3642b27dbd7b156f7d80e1c4d03b155fc6f44394a3cdcd00c34f259af61660867d3b17ddb75edc0aa5d55c

Download Submit
\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
90KB

MD5
fd61154072619d47ba11e5527238bff8

SHA1
b280e86bfbdd6291966eafa227d716ba2403854a

SHA256
c1119adfa1749a9a9669454604ae5e70005e987572f5d689bb3492f43b6a9b1b

SHA512
17945d52a033fa2aea75bca8fdd99cb714d9b1c210f08e908749c29b8bed09a0739cbd1175325f5c43e84dc1b15eedbdfd9360f5c8fe2c6c588930ddc0f21e39

Download Submit
\Windows\SysWOW64\Faagpp32.exe

Filesize
90KB

MD5
793c3a69e9691101849edee02ab0accd

SHA1
8bab8ada4d2469f40625cd6fb2223b35522c6a21

SHA256
9f3efd5efc94402260bf4a5ac88428e7f674617a0f284617057f3507da27584d

SHA512
55ae7ecca628b2a1df92a93b49b9db626ba4266c55f065d072c04f95294a3a14ab06500fba03fe4cbedac49d6ac26c61032d21c2fe68bc7ef30fbf23686b8866

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
90KB

MD5
4b5e0a5cb7257385575111ef8c5db71b

SHA1
5417bfae045afa60424828ff716624280f686123

SHA256
9792d279603ac7c53e7b39c52f71d6b90744609240004e17fe8ac4515f41f59c

SHA512
53a26f22f5609c87d0ce0bc172bd2bf52312c96e83ac61bac8e112ffbb3087d0b9f755c1d29b0c9774d999e6d469fddf80eebe6320cb4bdc2e05f3fa345a6a3f

Download Submit
\Windows\SysWOW64\Fdapak32.exe

Filesize
90KB

MD5
e6e0940fe1574baca94a630e242e8a13

SHA1
17cfbb911576cf55a349d52c608881e3304ae905

SHA256
2520393232688c8be69db5905371b17a913aedf76d610faa21172c3da86a7c88

SHA512
93682d6ad2e19ccd56a127c3275125256247f81d9c8526a9439939d832fb5e1dbe474c05020f51dbaf9c97b3065e69f3b43bff6074eb64281dfbcfc624b319a9

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
90KB

MD5
2bd50ea85ab4838f9d4506c939ab2123

SHA1
25bf96149f687ff84e5d08fa6807e24347e2709e

SHA256
c40bce6341567b77bbdc9a9f116fe12daca89924897a4bb0573c81ac389b7fe3

SHA512
c25526c45f2facd160802d2063059f5eb4794be8a44aeaa52cd6f5f3484e3a460a25573567528b7cd1984ce0c3962282ba41360d1d5a95cc446c56db3c803439

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
90KB

MD5
7d7bdc3ebf7b72de655bca307a688fa5

SHA1
2a1476546690de2974c8d6590df7dbce5a0a7e48

SHA256
afe7727ab9b4362b0587101204e8bf43188a5f0732c54a451f1a6efd095c59fd

SHA512
ec90c7539c271608bb6ee0d1fc606007f770cfe8eeff9ef9857c60c84296763e133db6d2618c1b09fe6639cba3893636c8baa0b837747dc79c64e7e63f1aa15b

Download Submit
\Windows\SysWOW64\Fejgko32.exe

Filesize
90KB

MD5
33bc951545ea4ef7995f7f8268df3af9

SHA1
0ac8a3a26b96e5c9fe9cd0c19d0492b82fb337bf

SHA256
c7d6f57f2850101530709f4bf1682c8de8168cab4f74e24b0e70d15d8eacd4e6

SHA512
65b605034146ad438de0a50e6c71e59b3640174665fa7807b2ea29fd699c801b32954686825679c7dc640fc389153f07643726ae6e8a324e3af245681fcf1205

Download Submit
\Windows\SysWOW64\Ffkcbgek.exe

Filesize
90KB

MD5
dd2466af3c092e300223380d02680c90

SHA1
658b8a6694c9424d31a18bf6a6cc13233fec81da

SHA256
615c138d8e7e693f1f405ea1401aa1adf391cd69d10394dd03cde9493d81396c

SHA512
af9ab51fffaf6290a1dd81ae634b7fb028c59fbc4e373027fad2a3ac01fa750a2bdc6eb7d783c9a6eb42cf884d6ecd98b6e90a442e273a18de35d11edfce1fbc

Download Submit
\Windows\SysWOW64\Fhkpmjln.exe

Filesize
90KB

MD5
ee26a31808be56bc6f9a42bca6619fd5

SHA1
67cff27e19b592f7d8c5c721d7ae4a0d212ebb99

SHA256
dd91443101c17079d5a7a0a1053b9238047be851dcd38a939f7e6eddb0fcadf3

SHA512
c2ac1c607f977e7df54e326008faf98a6382e7f30cc0fd5c1a34ddd594cab866f16992b0df7134243609e16de098478bb32cf1ac1d42431a55a6102e347f71f5

Download Submit
\Windows\SysWOW64\Fjlhneio.exe

Filesize
90KB

MD5
3982d8fb2af6f0b2022ac9e795cd8e6c

SHA1
d66d1f2a7e032c045ced5a384e83137e9313cece

SHA256
fcbb1730168e3dce7c4aee9ae4127c40e59a3676b83bde65ce5ecf78e2735ff9

SHA512
31fc92aa2817177982272194fcee9c2455063334355f2797ce5a508a1d025fdb12651bf12bfdb5a91c32fc3d527948507ac8ea698fd7aafe47b0f2afba7c34b5

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
90KB

MD5
f43b3a212e524d6f336a6c0a9d6ca4db

SHA1
0562b1366c2b1a3b6484dc1c8a5aeee19a518209

SHA256
d52662479e208926effc1f8259feefe5406b05add82478deb59cba2ba0e32ab3

SHA512
6f47ccec05dc3158fd9e4514631d9db6fc3d27cd3d8ca87fc433e4db4acfeddee6830ae93b844243dbc6682284c0756640d6242f5740af7a3ed1e4f034526204

Download Submit
\Windows\SysWOW64\Fmhheqje.exe

Filesize
90KB

MD5
13547922028fb93806799b978ab8957e

SHA1
609754619d35aed79556fd305a6058d979c23030

SHA256
722aa159f4649b63ea10a5f6926524c91eae3b1567a37adc1aaf79f12e8097ed

SHA512
b7da16d0d188b203188f0dcaf9ee6c7afb547c4fab03a81fc247ceaba188776d4366ff70e9877ce217a5ba360248ef71b0a6a43391d8bad03452c97a756c48bd

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
90KB

MD5
c3efdff7ffd9f62ba46ca603db91f776

SHA1
bf2bc9b48e3761540dd169220048fc9cf990a004

SHA256
1b37e19b65a9e8569918c9d3b812f5e16ae5d79e2a4131a59b5d5a041f08ce46

SHA512
fe14125445e1d2b8826c260aba8258e196c8a7e2620a06800df85255d3b6577139352141096300fd22d0964afe81f67096563c120ae69524cf5a14242d88ddb0

Download Submit
memory/344-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/344-257-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/344-262-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/444-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/792-201-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/920-264-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/920-269-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/920-268-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/984-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/984-477-0x0000000000490000-0x00000000004CD000-memory.dmp

Filesize
244KB

Download
memory/984-478-0x0000000000490000-0x00000000004CD000-memory.dmp

Filesize
244KB

Download
memory/1032-170-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1032-157-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1180-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1244-209-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1344-105-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1568-334-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/1568-335-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/1568-333-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1620-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-332-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1752-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-331-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1788-493-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1804-494-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1804-33-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1804-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-415-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1908-416-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1908-402-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1952-417-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1952-422-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1952-423-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2068-312-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2068-313-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2068-303-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-13-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2088-492-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2088-491-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-11-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2088-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2188-439-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2188-445-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2188-444-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2216-457-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2216-466-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2216-471-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2328-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2360-247-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/2360-241-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2360-246-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/2400-488-0x00000000006B0000-0x00000000006ED000-memory.dmp

Filesize
244KB

Download
memory/2400-489-0x00000000006B0000-0x00000000006ED000-memory.dmp

Filesize
244KB

Download
memory/2400-479-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-446-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-456-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2448-455-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2532-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2544-373-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2544-375-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2544-379-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2548-400-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2548-401-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2548-391-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2556-143-0x0000000000340000-0x000000000037D000-memory.dmp

Filesize
244KB

Download
memory/2556-131-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-92-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2588-118-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2736-351-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2736-357-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/2736-356-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/2740-390-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2740-389-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2740-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2760-495-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2760-45-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2776-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-368-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2832-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-367-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2892-430-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/2892-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2892-434-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/2916-349-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2916-336-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2916-350-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2940-66-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3016-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3016-298-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3016-302-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3020-280-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3020-270-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3020-279-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3040-290-0x00000000004B0000-0x00000000004ED000-memory.dmp

Filesize
244KB

Download
memory/3040-281-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-291-0x00000000004B0000-0x00000000004ED000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads