edbc521cc1bd15ac9e67cf4c6c68fc1ebd2f4fe8cbd60c1ca69cc27282305d43

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
Size

226KB
MD5

cdfb687b4c1d106e9e777637d86434d0
SHA1

28fb44f4555ff83ab1ffb593b0e162f04b77329f
SHA256

edbc521cc1bd15ac9e67cf4c6c68fc1ebd2f4fe8cbd60c1ca69cc27282305d43
SHA512

bbb17ddd9528ac2147e1f7b6b91091f24eb39e6816d585cd47b7c1648efd2d9a62403476e53535788ef5b6e0a44a35f719e1816eff2cf905390d2f626103cefa
SSDEEP

3072:W59fSJT7kcDKcWmjRvDKcpDKcWmjRrzNtQtjDKcWmjRrzNtb:uUJn6xEtQtsEtb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ennaieib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbehoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeempocb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddeaalpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elmigj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddeaalpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe

Executes dropped EXE 36 IoCs

pid	Process
1716	Dqelenlc.exe
2152	Dbehoa32.exe
2720	Ddeaalpg.exe
2868	Doobajme.exe
2552	Eqonkmdh.exe
2508	Ekholjqg.exe
1652	Emhlfmgj.exe
2832	Elmigj32.exe
2924	Eeempocb.exe
1980	Ennaieib.exe
2208	Fmcoja32.exe
532	Fhhcgj32.exe
1512	Ffnphf32.exe
2308	Fpfdalii.exe
2496	Fbgmbg32.exe
2888	Fmlapp32.exe
1780	Glaoalkh.exe
912	Gangic32.exe
2388	Gkgkbipp.exe
1772	Gdopkn32.exe
1600	Glfhll32.exe
1052	Gmgdddmq.exe
2100	Gdamqndn.exe
776	Gaemjbcg.exe
3064	Hiqbndpb.exe
2156	Hahjpbad.exe
1588	Hdfflm32.exe
2860	Hnojdcfi.exe
3024	Hlcgeo32.exe
2716	Hobcak32.exe
2520	Hlfdkoin.exe
2840	Hodpgjha.exe
2568	Hacmcfge.exe
2680	Ieqeidnl.exe
2500	Ioijbj32.exe
2844	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2932	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
2932	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
1716	Dqelenlc.exe
1716	Dqelenlc.exe
2152	Dbehoa32.exe
2152	Dbehoa32.exe
2720	Ddeaalpg.exe
2720	Ddeaalpg.exe
2868	Doobajme.exe
2868	Doobajme.exe
2552	Eqonkmdh.exe
2552	Eqonkmdh.exe
2508	Ekholjqg.exe
2508	Ekholjqg.exe
1652	Emhlfmgj.exe
1652	Emhlfmgj.exe
2832	Elmigj32.exe
2832	Elmigj32.exe
2924	Eeempocb.exe
2924	Eeempocb.exe
1980	Ennaieib.exe
1980	Ennaieib.exe
2208	Fmcoja32.exe
2208	Fmcoja32.exe
532	Fhhcgj32.exe
532	Fhhcgj32.exe
1512	Ffnphf32.exe
1512	Ffnphf32.exe
2308	Fpfdalii.exe
2308	Fpfdalii.exe
2496	Fbgmbg32.exe
2496	Fbgmbg32.exe
2888	Fmlapp32.exe
2888	Fmlapp32.exe
1780	Glaoalkh.exe
1780	Glaoalkh.exe
912	Gangic32.exe
912	Gangic32.exe
2388	Gkgkbipp.exe
2388	Gkgkbipp.exe
1772	Gdopkn32.exe
1772	Gdopkn32.exe
1600	Glfhll32.exe
1600	Glfhll32.exe
1052	Gmgdddmq.exe
1052	Gmgdddmq.exe
2100	Gdamqndn.exe
2100	Gdamqndn.exe
776	Gaemjbcg.exe
776	Gaemjbcg.exe
3064	Hiqbndpb.exe
3064	Hiqbndpb.exe
2156	Hahjpbad.exe
2156	Hahjpbad.exe
1588	Hdfflm32.exe
1588	Hdfflm32.exe
2860	Hnojdcfi.exe
2860	Hnojdcfi.exe
3024	Hlcgeo32.exe
3024	Hlcgeo32.exe
2716	Hobcak32.exe
2716	Hobcak32.exe
2520	Hlfdkoin.exe
2520	Hlfdkoin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Emhlfmgj.exe	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Doobajme.exe	Ddeaalpg.exe
File opened for modification	C:\Windows\SysWOW64\Doobajme.exe	Ddeaalpg.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Eqonkmdh.exe	Doobajme.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fhhcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Eqonkmdh.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Ennaieib.exe	Eeempocb.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Ddeaalpg.exe	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Acpmei32.dll	Eeempocb.exe
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Elmigj32.exe	Emhlfmgj.exe
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Lefmambf.dll	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Mncnkh32.dll	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Dbehoa32.exe	Dqelenlc.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Ddeaalpg.exe	Dbehoa32.exe
File created	C:\Windows\SysWOW64\Cfeoofge.dll	Doobajme.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Lonkjenl.dll	Elmigj32.exe
File opened for modification	C:\Windows\SysWOW64\Fpfdalii.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	Gangic32.exe
File created	C:\Windows\SysWOW64\Dbehoa32.exe	Dqelenlc.exe
File created	C:\Windows\SysWOW64\Ennaieib.exe	Eeempocb.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Eqonkmdh.exe	Doobajme.exe
File created	C:\Windows\SysWOW64\Eeempocb.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Ogjbla32.dll	Emhlfmgj.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Dqelenlc.exe	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2244	2844	WerFault.exe	63

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddeaalpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqelenlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbehoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll"	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll"	Dbehoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll"	Elmigj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elmigj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ennaieib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ennaieib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddeaalpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll"	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1716	2932	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 1716	2932	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 1716	2932	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 1716	2932	cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 2152	1716	Dqelenlc.exe	29
PID 1716 wrote to memory of 2152	1716	Dqelenlc.exe	29
PID 1716 wrote to memory of 2152	1716	Dqelenlc.exe	29
PID 1716 wrote to memory of 2152	1716	Dqelenlc.exe	29
PID 2152 wrote to memory of 2720	2152	Dbehoa32.exe	30
PID 2152 wrote to memory of 2720	2152	Dbehoa32.exe	30
PID 2152 wrote to memory of 2720	2152	Dbehoa32.exe	30
PID 2152 wrote to memory of 2720	2152	Dbehoa32.exe	30
PID 2720 wrote to memory of 2868	2720	Ddeaalpg.exe	31
PID 2720 wrote to memory of 2868	2720	Ddeaalpg.exe	31
PID 2720 wrote to memory of 2868	2720	Ddeaalpg.exe	31
PID 2720 wrote to memory of 2868	2720	Ddeaalpg.exe	31
PID 2868 wrote to memory of 2552	2868	Doobajme.exe	32
PID 2868 wrote to memory of 2552	2868	Doobajme.exe	32
PID 2868 wrote to memory of 2552	2868	Doobajme.exe	32
PID 2868 wrote to memory of 2552	2868	Doobajme.exe	32
PID 2552 wrote to memory of 2508	2552	Eqonkmdh.exe	33
PID 2552 wrote to memory of 2508	2552	Eqonkmdh.exe	33
PID 2552 wrote to memory of 2508	2552	Eqonkmdh.exe	33
PID 2552 wrote to memory of 2508	2552	Eqonkmdh.exe	33
PID 2508 wrote to memory of 1652	2508	Ekholjqg.exe	34
PID 2508 wrote to memory of 1652	2508	Ekholjqg.exe	34
PID 2508 wrote to memory of 1652	2508	Ekholjqg.exe	34
PID 2508 wrote to memory of 1652	2508	Ekholjqg.exe	34
PID 1652 wrote to memory of 2832	1652	Emhlfmgj.exe	35
PID 1652 wrote to memory of 2832	1652	Emhlfmgj.exe	35
PID 1652 wrote to memory of 2832	1652	Emhlfmgj.exe	35
PID 1652 wrote to memory of 2832	1652	Emhlfmgj.exe	35
PID 2832 wrote to memory of 2924	2832	Elmigj32.exe	36
PID 2832 wrote to memory of 2924	2832	Elmigj32.exe	36
PID 2832 wrote to memory of 2924	2832	Elmigj32.exe	36
PID 2832 wrote to memory of 2924	2832	Elmigj32.exe	36
PID 2924 wrote to memory of 1980	2924	Eeempocb.exe	37
PID 2924 wrote to memory of 1980	2924	Eeempocb.exe	37
PID 2924 wrote to memory of 1980	2924	Eeempocb.exe	37
PID 2924 wrote to memory of 1980	2924	Eeempocb.exe	37
PID 1980 wrote to memory of 2208	1980	Ennaieib.exe	38
PID 1980 wrote to memory of 2208	1980	Ennaieib.exe	38
PID 1980 wrote to memory of 2208	1980	Ennaieib.exe	38
PID 1980 wrote to memory of 2208	1980	Ennaieib.exe	38
PID 2208 wrote to memory of 532	2208	Fmcoja32.exe	39
PID 2208 wrote to memory of 532	2208	Fmcoja32.exe	39
PID 2208 wrote to memory of 532	2208	Fmcoja32.exe	39
PID 2208 wrote to memory of 532	2208	Fmcoja32.exe	39
PID 532 wrote to memory of 1512	532	Fhhcgj32.exe	40
PID 532 wrote to memory of 1512	532	Fhhcgj32.exe	40
PID 532 wrote to memory of 1512	532	Fhhcgj32.exe	40
PID 532 wrote to memory of 1512	532	Fhhcgj32.exe	40
PID 1512 wrote to memory of 2308	1512	Ffnphf32.exe	41
PID 1512 wrote to memory of 2308	1512	Ffnphf32.exe	41
PID 1512 wrote to memory of 2308	1512	Ffnphf32.exe	41
PID 1512 wrote to memory of 2308	1512	Ffnphf32.exe	41
PID 2308 wrote to memory of 2496	2308	Fpfdalii.exe	42
PID 2308 wrote to memory of 2496	2308	Fpfdalii.exe	42
PID 2308 wrote to memory of 2496	2308	Fpfdalii.exe	42
PID 2308 wrote to memory of 2496	2308	Fpfdalii.exe	42
PID 2496 wrote to memory of 2888	2496	Fbgmbg32.exe	43
PID 2496 wrote to memory of 2888	2496	Fbgmbg32.exe	43
PID 2496 wrote to memory of 2888	2496	Fbgmbg32.exe	43
PID 2496 wrote to memory of 2888	2496	Fbgmbg32.exe	43

C:\Users\Admin\AppData\Local\Temp\cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cdfb687b4c1d106e9e777637d86434d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Dqelenlc.exe
  C:\Windows\system32\Dqelenlc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\Dbehoa32.exe
    C:\Windows\system32\Dbehoa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\Ddeaalpg.exe
      C:\Windows\system32\Ddeaalpg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Doobajme.exe
        
        C:\Windows\system32\Doobajme.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Eqonkmdh.exe
        
        C:\Windows\system32\Eqonkmdh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Emhlfmgj.exe
        
        C:\Windows\system32\Emhlfmgj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Elmigj32.exe
        
        C:\Windows\system32\Elmigj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Eeempocb.exe
        
        C:\Windows\system32\Eeempocb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ennaieib.exe
        
        C:\Windows\system32\Ennaieib.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Fhhcgj32.exe
        
        C:\Windows\system32\Fhhcgj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        37⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 140
        38⤵
        Program crash
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Doobajme.exe

Filesize
226KB

MD5
89320928cbc0d80e5e7a3384242b1516

SHA1
5060ffc547fcc6719439045ef37d421ecccd54f3

SHA256
2e1f329ef5793cdd6f565fcfd9dd3205758b2260f035ff96ab32e60d5f5dfbc3

SHA512
85fda871fceddfedd6c56f0c606644575f66f77aab0419d864ea742a37b30a183c8b6645bc0080c7e884a96a68adca78577d9d3fff4698684cfdcf22014dea83

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
226KB

MD5
082a0d4466d8b8e685a488afa8804388

SHA1
556e839afaf2021a4d74e3d9e59cc1617980aa11

SHA256
95b35fd62ff0a9c4c7af0def08e033b1ba6632b9ee1ca80e84741dfaa02fd66b

SHA512
90190f5588c02e3958cbf2d5969cf1a019b8fb3e67da9ab235db585422378ad7c4734d789b7971484786a41ed1bf503e487c15687725dcf179210df3bd946739

Download Submit
C:\Windows\SysWOW64\Fpfdalii.exe

Filesize
226KB

MD5
1a6f5c8f59109a9186c3c9a4834ebdb3

SHA1
7a6073e888627f1189217ce4e6f1cd3034a54aee

SHA256
1127697d883bbb73afff6002077ba7564650689a8c5c64560e6dbfdbfc90b4ce

SHA512
393ec066ad53d09418e87b5bbc3a1b179abfb2e74f4bf051cfc0edcedddaa5a8bd5081b2b7302b4b022f97794aa0f4b5213c3690baecd9b11fb7146e2b7c6912

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
226KB

MD5
bb404f84c7ae7ff9a7f6011911b0286d

SHA1
541ff822022c13f3436b818e2aecc18fae0ffe3d

SHA256
8c129ad0ee68ba73896e0bb04ad579ea9d9293a1e9d643e648c4dc06c2989bee

SHA512
e8c522eb9d9ecb959a473ee73cbf2436fb65544a6fb32b03d2f8e9939bddaaad425363f3074528b4506b99ca98d08ad6c5f98a32cc1636222e587b8fb6fe7725

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
226KB

MD5
6dcf1f0ba4da74451139d13d09ae6012

SHA1
5c111a1a86fd4512340a1813d6b83d55bde7d94c

SHA256
7e6656e8acabae08b06fc3667a8a0a42cf958fa3eb9172a679036e33f9a5a3b3

SHA512
6f70dbeeb7dad4ada11e10c996b054a1af5364d6f11b7242be70ec5da7579c49f99952cb19b57e2754015bf94c6ad0c7e8953c53cc86422b75dcff076c61e1ca

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
226KB

MD5
70a4ec982e613d224e57cee307983213

SHA1
2e32cc7877570c350cad668d96699a998613d4b2

SHA256
309246f52c220ccf1cc62b4521a710027edbb2d77c06cfe0fbd7fe03910a7d6a

SHA512
b6333695018de85ae388da61283aa83f3f66515e0495c8d118c0548a9da3028bb97dec2a2c01d56167d001a9566e28ff6fccaa51469f1669204f907ec2e624c1

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
226KB

MD5
5d32ab843adfc982ac04e3ff7f94ce42

SHA1
f76660096d8db58d4d6d3587ab53a87308e02c5a

SHA256
c1af5dfe0fbe7cd4a231dbc3795d41e899ed3c867562d825e7d9e8bdc8fa5e4b

SHA512
ab932855db9650fd47034ecd8dae70610983b9f8c695e177adc0cab97ea3f5a9e5faaad2b5d3c131b8bb8b328c2c7eebcbae1e7fd75baac7e043656fc2d24cae

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe

Filesize
226KB

MD5
bbef7976df1fc6ab1367a2b260a10ab0

SHA1
4b96d45befc22f8885088635f490c2671cf6f164

SHA256
280eef6ba989d5ef6dcac88558b7074e374dfae858edaa24f9b88381a77d5bcf

SHA512
bd8a96336f0841942d11f6dbc256e1801f7668973cb02ef3f4490d7012e262fcb9621f0875342827da1d1564e2f275d394411d5fdcd8ab4ae15caa3adea39387

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
226KB

MD5
15e48cc9a69e9d01a8aa5a6d6c52cd5f

SHA1
c45b876064900496a2c26b307c64c10694780b15

SHA256
8c381cf040dc60a46bb0aefc2613b1fdfc13d1eb1a0ae81050e76066df1485bb

SHA512
d31a206ed2bf03046bc09b60e6690229f03ed9dfe125633cf2fff22885cd5c83bf8607f3ff924ff611362cc7694db647fba84f43f13186a3b25a5817f8ab17fa

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
226KB

MD5
94bde25ce6fe30bbd43c12102263e671

SHA1
bdadc645830dfdf627c3dd73a19ecae2fb5ae0d0

SHA256
a1fc82ac1f13d9539c9eb22ab118d2ac2088c6fd71e16c5bbc191c8b019aa024

SHA512
654b9473612f915455ef395fddd4373a692ad8b62e6335349a09dc2b3bec8c725cf7c6564b1b362ab8807d594c61bbdc0b52750f164276eda95b272260083472

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
226KB

MD5
9c226c1814be90f1afbc678eaa2961ac

SHA1
e17bdafde953e99058396d88a4f8ed3494f844e3

SHA256
29d182fd9f966086f794fab4b98871b107b1f1552be0701d4efeb96133a416bd

SHA512
18a223fadab6c41a1c15fd75a758838b6ed205ff64c3fb85e7782e0e83802aca553a0193f32627b2c34cdee0e48bc2a369069c38194b81a67373b2b506b58739

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
226KB

MD5
24a9e1ec8e2b73d1338f0bf8f58de78b

SHA1
2f67f45bc196429411b0125c661d4b210ed24f8c

SHA256
02a9dec1a17d165f9f1ee2154b96088024e108df7732c98df2a00ac24eb02151

SHA512
e3c2fca1cb139dfb282c9a3cacb63e6be8004bce2ef05b2588a16382fa09579ca20a7215213e34dd371932df82687981d541f12b3bff593afd14a027a86f9fb9

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
226KB

MD5
52bf946f5ff089b91c3085f40338c99a

SHA1
fdafd065d8a17b2046b38995434e7768c44bb9d0

SHA256
b66523eeefd5b9160b1708e65bdd79e32aac308eadbf29a8282f1f49fd27a930

SHA512
a70ab874320e18fa7d9286f3144bb97e74a1c79ed2e59ec1806c7eddd949179e5e03e7b76a7219cdbbeb77276de380fe990d478a21742383bcdb4a7920ccfae7

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
226KB

MD5
128965394380b8b2b113f86aa0e7c8a4

SHA1
d0ae6f9748853804feaa3be74ed0d075f54574e0

SHA256
73900f63574d2ad903583363372c94229918f052fbafa8e770557b685c44a505

SHA512
9916a72722a50ce429d24d508964beb7202849cb294344b5ce4f4803252ef8a4e42a9466b01bcda6217b3f243d0cfb8c6f9e2ca0557da89d37cc213b5e3feec3

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
226KB

MD5
f402c8f0ab180cad2ce46b6143d22afc

SHA1
619985ed47096373638d5ae1e0571474dfe48c1f

SHA256
6556e68d62c8771da8e32c0a05a5319a82d666cee06651a5db0491e40ae40906

SHA512
2310833d0e1d7033142a58cb18c642628494bd9b1d9b67652eea1ea519f732d686709118ea0eb1ce53341e3bcde2a3aaf64e68e6b9c6e859e80c942a9712a2a4

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
226KB

MD5
6f421c1299ca149ee3a3e761444aa099

SHA1
747c7c24b85302f7600a245030cd509ce6065d15

SHA256
66fb89c7f62b7f0a7a8883c86b758598ce83ebe56ce5e1d33271c404abce2b6d

SHA512
a995079b9bb0caaaee50e22ef4e56cb29938b4c321bd8c475df2644435b9fa906f4a94f8bd44d867d0625adb0b013fc0cef4b568f3417e8447d6861f8b4c933d

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
226KB

MD5
7b8c04c82dddf4cb7d5e6518a1e845d9

SHA1
95e60042c92d089d5d13f64bac5a5778c74e8a4a

SHA256
b6a11dfdae8eda97b2c0b5a29f71842374a52f21bb776363835af8a3a4eb1a81

SHA512
822e7e6159921fe0e3231d0ff3849a0841da39d82dd737614193253523d0086a4e690ea07c180f06e40dc8d39db2a15f3353c5ad001bfde69b158c991508ee92

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
226KB

MD5
20030ce6e7cbaa82e1d83dd202b10afa

SHA1
3fb3487ee3b24ac123b1f88afc6535271fb1fb16

SHA256
f2c6cb287a3464d6f1ef03a98fc33b8cfd10ef4b7705e9c00b59d79321841f0e

SHA512
e7541e31467b02368d89f703a25ad1e5d7f4e39daca462c53f23638a6747400807be24eb8e9117bad077428c6bed4b5ea795e16dd11039ba69a6a996122843ba

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
226KB

MD5
9ebbe7938c14f874392edecb29e67420

SHA1
7c7d7e284ef4e0e0031b6b18a9a5c95c5b93ff88

SHA256
beb65918a002d901254fa8dca18295ad7e1052186b1503087200c7d5801386b5

SHA512
2abeddef3ef3a712e88ef3be6e959ffa295ef66f4ef568332e1aa20109fecd1ce16eed2e3f229ed22133953d1681e76c989e43a9ca0a5fbb2011148082af1007

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
226KB

MD5
271854722093f3578f63e2708a8057c8

SHA1
fcfe258b7b894ce8ae5494d1af411ce5fdb844a2

SHA256
27b37394e0d46ccf9082a301defc8ecbde5ea4efa8a05e403010784614bc14ae

SHA512
427657a8e5713580782e48f75f71f8533d9245ca5c4e1cc9719868a226cb1f385dbba231ba020547a73d14be4ede4ff369fd818a8ed7905022b23e8d57136bf8

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
226KB

MD5
8c21f53dbb2e697f3d14f2f9f7e02035

SHA1
41a023fa57115f7774b16b6b23a82bd45a7a66d3

SHA256
efd9c3f21d0658755ec8eedffb3ba78008ec165225bdd6efcf115f686aee855d

SHA512
da0c402ad8c2c9e6e15354766bcbd7b336f9b2d7b1a51557a81953ac10c1d7968d6fe00359528220934c594990a2931ac8776e5572c48b70145a9bfec0ff0db9

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
226KB

MD5
3f47a51666236c2869f7f082e2c7906d

SHA1
84d425c5702d5e3af4c94372276d9cf23941e033

SHA256
eb86bc76ad58a1a0c5dfbcf251c86c56ca3e1c293ff03c8453a33ffed60acad5

SHA512
68c51eb2a1e08609cc7a381a6018d0c30f74b1d740d7a63b3b8a483a6ed714ab8cf93f652c800eadbf8ebd6b02d32a3e3e9603b4c715819658ad5868ec4bfc1b

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
226KB

MD5
222635d3fe635a380760abf9ad4f4998

SHA1
5b43ae3a3ad55a12ad0634798065320462830571

SHA256
c41c5124c633e01e59f4808c518718a031d2f364041babaa60d9359a0ff6f6d4

SHA512
da11d91a01ce930674922b1789e576d22498e5e581ed548a441685d9a972357939796f3364440c6c61fbcdb13761b43c1aac74e4c439e8c886f6e626f4a16a4e

Download Submit
\Windows\SysWOW64\Dbehoa32.exe

Filesize
226KB

MD5
b4e4928d7c316d637dc0925b74041ac7

SHA1
f6fb59f2fc5f1fd2321b7cdccd96a6362267f269

SHA256
7b487ecd829864957dc9cec0c2d165fbba9c5582666170a325ea23ee95781f51

SHA512
62ade37c3b7deb9168ebd263ee8cf058023a2529821bd8ddd8b079790638057ec94d3935d82780ff35a9671df6aa4fd3848ef287e6671d1551019732b0b325b3

Download Submit
\Windows\SysWOW64\Ddeaalpg.exe

Filesize
226KB

MD5
1b6c2b0e0065ee2a7acf68548bd36f4c

SHA1
038e8a9ef3525f2501c83cb2f4c971d34d178a7a

SHA256
e957af4a4ff56fe7e9f199cf58ea0e4ca58bab7dd83c65e4292250388e2180ad

SHA512
72e9c5dcee6e7442f20fa18d4b18e86ccdaa1a6688904f1d46f5d45cae6d6b487816040687ca64dd29490f5e1a7ba1806945c76868717e95c59acde49d5458e7

Download Submit
\Windows\SysWOW64\Dqelenlc.exe

Filesize
226KB

MD5
739137ac97d786a533098012ce0ecfc3

SHA1
420268f695199073dcae4ff924a21ad4d57e73b4

SHA256
a7602ab20e7973a0507516b75c686ca1982ec4b880458bd3c577187b32100c3d

SHA512
3f014700cf099a553383be9adb1b81d23430151a835bd51dad202987a668cf615a43ea676bb6f60b132491cc9d2a982e3ca122e99d53eb55b1a4777a72644127

Download Submit
\Windows\SysWOW64\Eeempocb.exe

Filesize
226KB

MD5
45ce319781318796439b9010f007690a

SHA1
1ed725c79d99c9f812ec3a0c3d0c0ecf717f6a21

SHA256
38e413a15dbc77c9eb7b2df025f5444a092b3c14ae5f51ef05892e56f07c0140

SHA512
e56885dba340bb8347cf2dc4ff926a3efa8d5252b17fd6515bc98b21b5b5248e3d260a4b112bbd8e1b28299570be2c232522aa7285c8dc129774b33c895c8c0b

Download Submit
\Windows\SysWOW64\Ekholjqg.exe

Filesize
226KB

MD5
ed32d4c20defacce4b19c052407a0938

SHA1
b64655b142c9668eed77633e8f920f1294399b44

SHA256
6a40c8b2a3106e7e2f6d76f644959cc33376427c026aa5f05467e49eb616e029

SHA512
cc69ed49cf4182089803d367b3a4046808ad5c8341ed86c9a680db9c1166d4e4b6f9fde04577c74022dfc3782f6bd25115870ed406b458b0bc702e9d7dcb5697

Download Submit
\Windows\SysWOW64\Elmigj32.exe

Filesize
226KB

MD5
80840dd2b3e6bc705c83cd22b886c279

SHA1
a81fddec3a6e1daa7b1e6f6d08813fdf01385604

SHA256
52b02eb3fa503b096d11f806e27fdb5ee2be2a19094d238de73d80449349168c

SHA512
99d6928e8f844053de4afceb8aab6e401a85835e03c8f2fb7fdcc0d88693e07e6d15bbecf13321c405ae937d071e52db9188a169d72100b5ac308eb22e57e220

Download Submit
\Windows\SysWOW64\Emhlfmgj.exe

Filesize
226KB

MD5
bc5a672aa618403a655ec5308a333334

SHA1
e7aae7fc82d07b711d77b900e6a71196b1648cf5

SHA256
81fd1ff1ea7d1b3382355aee083459a6b06e64fe41f706c31558244c4ae01a87

SHA512
537246affff1d3b50f3c9c6f3af385fdf2601af20503faf43787d9b36abe7b1fad493fd50aeb89c135b31b8fba64f2198561b667910a6de9a5dab4ece98d55b3

Download Submit
\Windows\SysWOW64\Ennaieib.exe

Filesize
226KB

MD5
139a0923a3e3ad5507f5a7ed3ce29849

SHA1
41df81580c84c44c574723ab6b6d20de45b499d7

SHA256
4e833bad3df71dabb7375e6e77b3bcdc3e55110beed6c874eb11951ca38b8e94

SHA512
af82ca74f96147d4cd79d7a876d6179bffcfc5e9c4b2320f2e3e392f7cca47a02500660d5c4b543afb18a4ba4f9a1d7237aa72df90ba117811c70220c9a1aa51

Download Submit
\Windows\SysWOW64\Eqonkmdh.exe

Filesize
226KB

MD5
436ae3c8ca471a842f1d59ea400b79c5

SHA1
05c2e5b4dbce9fc5154b924052b033411030fac9

SHA256
31c49e5d42746ce830c36c6e63accefa8625802a837bef64023c2c0030fce8fd

SHA512
eac7cc0f71e62271076bef3d049be00ab3dfbc7e645de4167f26c4f54a676ce2d62387597ab3a48e5e302454f0e6e07f0a592c6b46aaf613b30d8deb11fce6be

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
226KB

MD5
54cdf552dc14c6004f768adf979ac76b

SHA1
69972d280a86f13b32f120ed050e8573c87b4bc7

SHA256
815c6daafff41d0644882ba83746de814336cadbfd7c76caaefdfc3d6f7a7797

SHA512
be31a2d9437d7e15fa10134ef79450229ec4ce981d75b0227b53d639c6f4a89fa963734b0f6c5085b607f74215088a4ff9ae7ca55f5d092aa63683ef2241db6d

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
226KB

MD5
34eacb316ecf942099a533c87e5144e6

SHA1
7fbdcd6274876be24025b55065bfff34ee925b81

SHA256
3903ae51a4edadba9db928f0c99748d8dd4f2dd9e6cf37d760d43114c4da6f1e

SHA512
0af379f3fc18539f57f92bed31812b6fda90b658fd10825ce24215b65ac6179ba2138251ff4cbc837173ba90047075b72533038bfbd7405815f61c7f5e3f8f95

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
226KB

MD5
ea859ad3e5a2ff11763402432cbbb52b

SHA1
313b2cf084026c15b3e903df0f7c36f613fa30e4

SHA256
76964e821d5b69b55ab42d7600f9c2a40c00d8e083a6069e974981817e01a308

SHA512
e104a9b401a8b59f99ddea7d938b85264b2fd698208c1531b193287e631d03c7badd54f8d5fa91925ad5f09da82d5c57fe3b12dde2f6fadd59ac38d9d0ab2559

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
226KB

MD5
71fca2a7958c4662135e1ba496a5389a

SHA1
6d6f7aa968a4e2ccc1ba715aa11dff23de952c58

SHA256
230fc0e0b5f36438aec9b7224bd3385a6778ccafcd9ad53954c898a44d4c5027

SHA512
1429b63f5d2b6da5a941ef6248af6ac12747748c0ae1c2d5a8d5a161cb1ad82b9ddf858e710788b46f2ad7f61ff5c5582a4e4b0a44b50ae4ff3acc97b5281bd9

Download Submit
memory/532-178-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/532-171-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/532-163-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/532-535-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/776-306-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/776-318-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/912-245-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/912-547-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/912-254-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1052-294-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1052-285-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1512-192-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1512-186-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1512-177-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1512-537-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1588-337-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1588-347-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1588-346-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1600-284-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/1600-283-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/1652-108-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1652-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1652-525-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1716-496-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1716-25-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1716-13-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1716-26-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1772-277-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1772-278-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1780-545-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1780-241-0x0000000001F60000-0x0000000001FC0000-memory.dmp

Filesize
384KB

Download
memory/1780-235-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1980-531-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1980-137-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1980-145-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2100-304-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2100-305-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2100-298-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2152-498-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2152-40-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2152-28-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2156-336-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/2156-335-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/2156-326-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2208-533-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2308-212-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2308-539-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2308-193-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2308-201-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2388-255-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2388-264-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2496-541-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2496-220-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2496-222-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2496-214-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2500-425-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2508-94-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2508-82-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2508-523-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2520-387-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2520-383-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2520-390-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2552-504-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2552-69-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2568-406-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2680-407-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-420-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2716-382-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2716-376-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2716-367-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2720-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2720-500-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2832-527-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2832-110-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2832-118-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2840-401-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2844-426-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2860-361-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2860-348-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2868-67-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2868-55-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2868-502-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2888-234-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2888-223-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2888-233-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2888-543-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2924-529-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2924-129-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-494-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-459-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-478-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2932-6-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/3024-366-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/3064-325-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/3064-324-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads