ca860d52e46a26f1d278b48238d1e2fbc1d2e1ff4e368dabd7b830aa9700a3c0

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
Size

163KB
MD5

eff6f7bacffbcc9e10e5c3b1d4f277e0
SHA1

c2e232f0f942bf9496dd132af1eb2a99a356f335
SHA256

ca860d52e46a26f1d278b48238d1e2fbc1d2e1ff4e368dabd7b830aa9700a3c0
SHA512

6710c99ed9b73d97f08a9783524b6c5dff5c06ff69786af36fd0bfdf0f33eef19311fe2c90d756a541ef22b95980e7ba2a27f4ca7c6504e735fc10997d0a463a
SSDEEP

1536:P6+Cr/elPg2hhtZ76bQETWnV17O5tlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:y+i/sPxRd6bQpnT7qtltOrWKDBr+yJb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hgdbhi32.exeHdhbam32.exeHlcgeo32.exeEgamfkdh.exeEbinic32.exeFfkcbgek.exeGbkgnfbd.exeEnkece32.exeFhffaj32.exeGbnccfpb.exeGlfhll32.exeEcpgmhai.exeEgdilkbf.exeGhmiam32.exeFmjejphb.exeFiaeoang.exeGaemjbcg.exeIlknfn32.exeHnagjbdf.exeFmcoja32.exeFfnphf32.exeFnbkddem.exeFacdeo32.exeGacpdbej.exeHkkalk32.exeGonnhhln.exeGicbeald.exeHgbebiao.exeEpfhbign.exeHgilchkf.exeHacmcfge.exeHpkjko32.exeHpapln32.exeeff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exeFjlhneio.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhffaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecpgmhai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhffaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egamfkdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaeoang.exe

Executes dropped EXE 36 IoCs

Processes:

Ecpgmhai.exeEpfhbign.exeEgamfkdh.exeEnkece32.exeEgdilkbf.exeEbinic32.exeFhffaj32.exeFmcoja32.exeFfkcbgek.exeFnbkddem.exeFfnphf32.exeFacdeo32.exeFjlhneio.exeFmjejphb.exeFiaeoang.exeGonnhhln.exeGicbeald.exeGbkgnfbd.exeGbnccfpb.exeGelppaof.exeGlfhll32.exeGacpdbej.exeGhmiam32.exeGaemjbcg.exeHgbebiao.exeHpkjko32.exeHgdbhi32.exeHdhbam32.exeHnagjbdf.exeHlcgeo32.exeHgilchkf.exeHpapln32.exeHacmcfge.exeHkkalk32.exeIlknfn32.exeIagfoe32.exe

pid	process
2452	Ecpgmhai.exe
2040	Epfhbign.exe
2900	Egamfkdh.exe
2828	Enkece32.exe
2836	Egdilkbf.exe
888	Ebinic32.exe
2604	Fhffaj32.exe
1948	Fmcoja32.exe
3008	Ffkcbgek.exe
2492	Fnbkddem.exe
2156	Ffnphf32.exe
2588	Facdeo32.exe
2744	Fjlhneio.exe
1392	Fmjejphb.exe
484	Fiaeoang.exe
760	Gonnhhln.exe
1608	Gicbeald.exe
496	Gbkgnfbd.exe
1348	Gbnccfpb.exe
948	Gelppaof.exe
1328	Glfhll32.exe
2504	Gacpdbej.exe
1800	Ghmiam32.exe
1740	Gaemjbcg.exe
2892	Hgbebiao.exe
1564	Hpkjko32.exe
2612	Hgdbhi32.exe
2148	Hdhbam32.exe
2788	Hnagjbdf.exe
2664	Hlcgeo32.exe
2748	Hgilchkf.exe
2832	Hpapln32.exe
3000	Hacmcfge.exe
2852	Hkkalk32.exe
2972	Ilknfn32.exe
1520	Iagfoe32.exe

Loads dropped DLL 64 IoCs

Processes:

eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exeEcpgmhai.exeEpfhbign.exeEgamfkdh.exeEnkece32.exeEgdilkbf.exeEbinic32.exeFhffaj32.exeFmcoja32.exeFfkcbgek.exeFnbkddem.exeFfnphf32.exeFacdeo32.exeFjlhneio.exeFmjejphb.exeFiaeoang.exeGonnhhln.exeGicbeald.exeGbkgnfbd.exeGbnccfpb.exeGelppaof.exeGlfhll32.exeGacpdbej.exeGhmiam32.exeGaemjbcg.exeHgbebiao.exeHpkjko32.exeHgdbhi32.exeHdhbam32.exeHnagjbdf.exeHlcgeo32.exeHgilchkf.exe

pid	process
2124	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
2124	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
2452	Ecpgmhai.exe
2452	Ecpgmhai.exe
2040	Epfhbign.exe
2040	Epfhbign.exe
2900	Egamfkdh.exe
2900	Egamfkdh.exe
2828	Enkece32.exe
2828	Enkece32.exe
2836	Egdilkbf.exe
2836	Egdilkbf.exe
888	Ebinic32.exe
888	Ebinic32.exe
2604	Fhffaj32.exe
2604	Fhffaj32.exe
1948	Fmcoja32.exe
1948	Fmcoja32.exe
3008	Ffkcbgek.exe
3008	Ffkcbgek.exe
2492	Fnbkddem.exe
2492	Fnbkddem.exe
2156	Ffnphf32.exe
2156	Ffnphf32.exe
2588	Facdeo32.exe
2588	Facdeo32.exe
2744	Fjlhneio.exe
2744	Fjlhneio.exe
1392	Fmjejphb.exe
1392	Fmjejphb.exe
484	Fiaeoang.exe
484	Fiaeoang.exe
760	Gonnhhln.exe
760	Gonnhhln.exe
1608	Gicbeald.exe
1608	Gicbeald.exe
496	Gbkgnfbd.exe
496	Gbkgnfbd.exe
1348	Gbnccfpb.exe
1348	Gbnccfpb.exe
948	Gelppaof.exe
948	Gelppaof.exe
1328	Glfhll32.exe
1328	Glfhll32.exe
2504	Gacpdbej.exe
2504	Gacpdbej.exe
1800	Ghmiam32.exe
1800	Ghmiam32.exe
1740	Gaemjbcg.exe
1740	Gaemjbcg.exe
2892	Hgbebiao.exe
2892	Hgbebiao.exe
1564	Hpkjko32.exe
1564	Hpkjko32.exe
2612	Hgdbhi32.exe
2612	Hgdbhi32.exe
2148	Hdhbam32.exe
2148	Hdhbam32.exe
2788	Hnagjbdf.exe
2788	Hnagjbdf.exe
2664	Hlcgeo32.exe
2664	Hlcgeo32.exe
2748	Hgilchkf.exe
2748	Hgilchkf.exe

Drops file in System32 directory 64 IoCs

Processes:

Enkece32.exeFhffaj32.exeFacdeo32.exeGbnccfpb.exeGacpdbej.exeHpapln32.exeEcpgmhai.exeEbinic32.exeGbkgnfbd.exeGaemjbcg.exeIlknfn32.exeFjlhneio.exeEgamfkdh.exeFiaeoang.exeHgdbhi32.exeGhmiam32.exeHnagjbdf.exeHlcgeo32.exeHgilchkf.exeHkkalk32.exeFmcoja32.exeHgbebiao.exeHpkjko32.exeeff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exeGlfhll32.exeFfnphf32.exeHdhbam32.exeFfkcbgek.exeFnbkddem.exeGelppaof.exeGonnhhln.exeHacmcfge.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Midahn32.dll	Enkece32.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Fhffaj32.exe
File created	C:\Windows\SysWOW64\Lghegkoc.dll	Fhffaj32.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Epfhbign.exe	Ecpgmhai.exe
File created	C:\Windows\SysWOW64\Fhffaj32.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Lbidmekh.dll	Egamfkdh.exe
File opened for modification	C:\Windows\SysWOW64\Egdilkbf.exe	Enkece32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Fhffaj32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Fiaeoang.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Ecpgmhai.exe	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ffkcbgek.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Fnbkddem.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fhffaj32.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Kdanej32.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	Ffkcbgek.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Egdilkbf.exe	Enkece32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Ecpgmhai.exe	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Enkece32.exe	Egamfkdh.exe
File created	C:\Windows\SysWOW64\Iaeldika.dll	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	Gbkgnfbd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1504 1520 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
1504	1520	WerFault.exe	Iagfoe32.exe

Modifies registry class 64 IoCs

Processes:

Fjlhneio.exeFiaeoang.exeGhmiam32.exeHpapln32.exeEnkece32.exeFmjejphb.exeGicbeald.exeHgbebiao.exeEpfhbign.exeEbinic32.exeGlfhll32.exeHkkalk32.exeIlknfn32.exeFmcoja32.exeFacdeo32.exeHgilchkf.exeGbkgnfbd.exeHlcgeo32.exeeff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exeFfnphf32.exeGelppaof.exeGaemjbcg.exeHdhbam32.exeHpkjko32.exeFnbkddem.exeHgdbhi32.exeHacmcfge.exeGacpdbej.exeGbnccfpb.exeGonnhhln.exeEcpgmhai.exeFfkcbgek.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midahn32.dll"	Enkece32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epfhbign.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epfhbign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll"	Epfhbign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll"	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hpapln32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2124 wrote to memory of 2452	2124	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe	Ecpgmhai.exe
PID 2124 wrote to memory of 2452	2124	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe	Ecpgmhai.exe
PID 2124 wrote to memory of 2452	2124	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe	Ecpgmhai.exe
PID 2124 wrote to memory of 2452	2124	eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe	Ecpgmhai.exe
PID 2452 wrote to memory of 2040	2452	Ecpgmhai.exe	Epfhbign.exe
PID 2452 wrote to memory of 2040	2452	Ecpgmhai.exe	Epfhbign.exe
PID 2452 wrote to memory of 2040	2452	Ecpgmhai.exe	Epfhbign.exe
PID 2452 wrote to memory of 2040	2452	Ecpgmhai.exe	Epfhbign.exe
PID 2040 wrote to memory of 2900	2040	Epfhbign.exe	Egamfkdh.exe
PID 2040 wrote to memory of 2900	2040	Epfhbign.exe	Egamfkdh.exe
PID 2040 wrote to memory of 2900	2040	Epfhbign.exe	Egamfkdh.exe
PID 2040 wrote to memory of 2900	2040	Epfhbign.exe	Egamfkdh.exe
PID 2900 wrote to memory of 2828	2900	Egamfkdh.exe	Enkece32.exe
PID 2900 wrote to memory of 2828	2900	Egamfkdh.exe	Enkece32.exe
PID 2900 wrote to memory of 2828	2900	Egamfkdh.exe	Enkece32.exe
PID 2900 wrote to memory of 2828	2900	Egamfkdh.exe	Enkece32.exe
PID 2828 wrote to memory of 2836	2828	Enkece32.exe	Egdilkbf.exe
PID 2828 wrote to memory of 2836	2828	Enkece32.exe	Egdilkbf.exe
PID 2828 wrote to memory of 2836	2828	Enkece32.exe	Egdilkbf.exe
PID 2828 wrote to memory of 2836	2828	Enkece32.exe	Egdilkbf.exe
PID 2836 wrote to memory of 888	2836	Egdilkbf.exe	Ebinic32.exe
PID 2836 wrote to memory of 888	2836	Egdilkbf.exe	Ebinic32.exe
PID 2836 wrote to memory of 888	2836	Egdilkbf.exe	Ebinic32.exe
PID 2836 wrote to memory of 888	2836	Egdilkbf.exe	Ebinic32.exe
PID 888 wrote to memory of 2604	888	Ebinic32.exe	Fhffaj32.exe
PID 888 wrote to memory of 2604	888	Ebinic32.exe	Fhffaj32.exe
PID 888 wrote to memory of 2604	888	Ebinic32.exe	Fhffaj32.exe
PID 888 wrote to memory of 2604	888	Ebinic32.exe	Fhffaj32.exe
PID 2604 wrote to memory of 1948	2604	Fhffaj32.exe	Fmcoja32.exe
PID 2604 wrote to memory of 1948	2604	Fhffaj32.exe	Fmcoja32.exe
PID 2604 wrote to memory of 1948	2604	Fhffaj32.exe	Fmcoja32.exe
PID 2604 wrote to memory of 1948	2604	Fhffaj32.exe	Fmcoja32.exe
PID 1948 wrote to memory of 3008	1948	Fmcoja32.exe	Ffkcbgek.exe
PID 1948 wrote to memory of 3008	1948	Fmcoja32.exe	Ffkcbgek.exe
PID 1948 wrote to memory of 3008	1948	Fmcoja32.exe	Ffkcbgek.exe
PID 1948 wrote to memory of 3008	1948	Fmcoja32.exe	Ffkcbgek.exe
PID 3008 wrote to memory of 2492	3008	Ffkcbgek.exe	Fnbkddem.exe
PID 3008 wrote to memory of 2492	3008	Ffkcbgek.exe	Fnbkddem.exe
PID 3008 wrote to memory of 2492	3008	Ffkcbgek.exe	Fnbkddem.exe
PID 3008 wrote to memory of 2492	3008	Ffkcbgek.exe	Fnbkddem.exe
PID 2492 wrote to memory of 2156	2492	Fnbkddem.exe	Ffnphf32.exe
PID 2492 wrote to memory of 2156	2492	Fnbkddem.exe	Ffnphf32.exe
PID 2492 wrote to memory of 2156	2492	Fnbkddem.exe	Ffnphf32.exe
PID 2492 wrote to memory of 2156	2492	Fnbkddem.exe	Ffnphf32.exe
PID 2156 wrote to memory of 2588	2156	Ffnphf32.exe	Facdeo32.exe
PID 2156 wrote to memory of 2588	2156	Ffnphf32.exe	Facdeo32.exe
PID 2156 wrote to memory of 2588	2156	Ffnphf32.exe	Facdeo32.exe
PID 2156 wrote to memory of 2588	2156	Ffnphf32.exe	Facdeo32.exe
PID 2588 wrote to memory of 2744	2588	Facdeo32.exe	Fjlhneio.exe
PID 2588 wrote to memory of 2744	2588	Facdeo32.exe	Fjlhneio.exe
PID 2588 wrote to memory of 2744	2588	Facdeo32.exe	Fjlhneio.exe
PID 2588 wrote to memory of 2744	2588	Facdeo32.exe	Fjlhneio.exe
PID 2744 wrote to memory of 1392	2744	Fjlhneio.exe	Fmjejphb.exe
PID 2744 wrote to memory of 1392	2744	Fjlhneio.exe	Fmjejphb.exe
PID 2744 wrote to memory of 1392	2744	Fjlhneio.exe	Fmjejphb.exe
PID 2744 wrote to memory of 1392	2744	Fjlhneio.exe	Fmjejphb.exe
PID 1392 wrote to memory of 484	1392	Fmjejphb.exe	Fiaeoang.exe
PID 1392 wrote to memory of 484	1392	Fmjejphb.exe	Fiaeoang.exe
PID 1392 wrote to memory of 484	1392	Fmjejphb.exe	Fiaeoang.exe
PID 1392 wrote to memory of 484	1392	Fmjejphb.exe	Fiaeoang.exe
PID 484 wrote to memory of 760	484	Fiaeoang.exe	Gonnhhln.exe
PID 484 wrote to memory of 760	484	Fiaeoang.exe	Gonnhhln.exe
PID 484 wrote to memory of 760	484	Fiaeoang.exe	Gonnhhln.exe
PID 484 wrote to memory of 760	484	Fiaeoang.exe	Gonnhhln.exe

C:\Users\Admin\AppData\Local\Temp\eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\eff6f7bacffbcc9e10e5c3b1d4f277e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\Ecpgmhai.exe
C:\Windows\system32\Ecpgmhai.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\Epfhbign.exe
C:\Windows\system32\Epfhbign.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\Egamfkdh.exe
C:\Windows\system32\Egamfkdh.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\Enkece32.exe
C:\Windows\system32\Enkece32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\Egdilkbf.exe
C:\Windows\system32\Egdilkbf.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\Fhffaj32.exe
C:\Windows\system32\Fhffaj32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\Fmcoja32.exe
C:\Windows\system32\Fmcoja32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\Ffkcbgek.exe
C:\Windows\system32\Ffkcbgek.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\Fnbkddem.exe
C:\Windows\system32\Fnbkddem.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\Ffnphf32.exe
C:\Windows\system32\Ffnphf32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\Fjlhneio.exe
C:\Windows\system32\Fjlhneio.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\Fiaeoang.exe
C:\Windows\system32\Fiaeoang.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\Gonnhhln.exe
C:\Windows\system32\Gonnhhln.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:760

C:\Windows\SysWOW64\Gicbeald.exe
C:\Windows\system32\Gicbeald.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1608

C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:496

C:\Windows\SysWOW64\Gbnccfpb.exe
C:\Windows\system32\Gbnccfpb.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1348

C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:948

C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1328

C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2504

C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1800

C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\Hgbebiao.exe
C:\Windows\system32\Hgbebiao.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2892

C:\Windows\SysWOW64\Hpkjko32.exe
C:\Windows\system32\Hpkjko32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1564

C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2612

C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2148

C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788

C:\Windows\SysWOW64\Hlcgeo32.exe
C:\Windows\system32\Hlcgeo32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2664

C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2748

C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2832

C:\Windows\SysWOW64\Hacmcfge.exe
C:\Windows\system32\Hacmcfge.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3000

C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2852

C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2972

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
37⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 140
38⤵
- Program crash
PID:1504

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Epfhbign.exe
Filesize
163KB

MD5
1073b29c89f44267617d48acaf486bbc

SHA1
37f8a934c126367b1d0b7dd71e87afe6e4e3a8ed

SHA256
a12387184e69995d7600aabd95a82933ad23e951318bd70b3f48dd4f5b7bff84

SHA512
9bf353121e2593af355336e3428319f9a31c209b9e7d956a070f94146b298156cee1756f62cd1e3c82611acddd85f46d0b03e7cf3d8670689241021f63546310

Download Submit
C:\Windows\SysWOW64\Facdeo32.exe
Filesize
163KB

MD5
f5ecb065eacf2416e4b1389fa4126e2e

SHA1
fbbe2cc7e75e7c4cf93f6ba5328d1d4e9167f950

SHA256
cdd1ed5090087ba6db2985d9aab83ca1986000902fdbf8dbbaa2837cd0e9907b

SHA512
69b0637e616a842e8bc5e5cdd977f9fcea96ba34d0d04478c53086292f573c8710245103a7dcd4aa20b8461ed1499451813fcbeb528cf734906662015a2be601

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe
Filesize
163KB

MD5
b3c1caaa412447089d9c9a4115b0bedb

SHA1
1373df0e8d971a09290ee8db81cd54f3257482e1

SHA256
469307f02c05f344b435fe085dde227f1c5882464685a56b4dc13697eec5ddc4

SHA512
1c9f06bc5539e0f8f3e9a76039546a3b2b5ac5139bd4ab36ea81c2172fba9605a90da042b11eee0c673a9c972390a0006d0c3bbc1deaf7133bc36cc45555a560

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe
Filesize
163KB

MD5
45207de2c0d995772cade55f16985af1

SHA1
ceb09b298a4d767fdbcda24490c3922dc1c63142

SHA256
d1e2fac4ff966c6612648a9ef107b28859903a195a0484ae34f40e1f3a41b079

SHA512
a84a736577c7a2be0fd0802806a2107df86e22e8bb2b580a5b330bd11cb30525f8675f30f6d38baf122c28861e10dea4eb6b2ffefbae9c46d872f55a0f16e5e1

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe
Filesize
163KB

MD5
dd93be10f205c5179dbb0d768a7e5abc

SHA1
f1bb6d0648aaa9798a7c607e674c9b2169863988

SHA256
03b0b20b95d3db51f40d86f634bac569de1d525c3389b21423dd4c10bbbe1a02

SHA512
05791c1a4d146e95d0ca02bcbb6402601c692006c2c3db42a09ac8b71e7958e7bf2cb2f94105a3824971a29a603db513f4c7239a40a131122915c3a68d7374c2

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe
Filesize
163KB

MD5
80b090fe8f8596308fba03fac40ff882

SHA1
d9de00d18e106bd9de925bf1d8c501ec64d6fb49

SHA256
f4923dd4cbba7a04569453abecbffe88c7a608b6131b3d5fa28f59c6b9d4c55a

SHA512
2f053acd9d938eb472ed962dd118b8a9046991f754c173269d74ec385b6e5c4b9a4de12e55a5ec43f647fdc249f1e38a77498461bf8ce73d5e10f59788674b2a

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe
Filesize
163KB

MD5
5f8896a26c7dacd16bafbda0784fe15c

SHA1
a11422071989b3bd0f49c0f71cc7da0b7a467cb3

SHA256
8ee4929b7b267c5b24d128f62b2dce82ca4ea108b5b51b7665746e2b243b335d

SHA512
eb0d23d95b522d49902603406aa4332c2e8cce6628fb3a895c560e36ee556d2de2cd5f9ed4d6901914d3f6a76dcb5d1e80864b0d335a9b8c9df6ec9bbb9c6c31

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe
Filesize
163KB

MD5
fa77844b8398b74defeae0fcc2bc3476

SHA1
743f80a0af3bb22a21e2f962a0423321340db8f5

SHA256
b7900c900a2c209d1e58191a2b474e1870584ae18713b104c9f6e8864a8127f1

SHA512
1e5eb43b93fe1c55cd0fb5a8b5c8c1b2a3b54d49bc2ea83daf8f35eb7a5dd91be22cac909eacdbe4bcb48e1e8722dbfea34a8ee346a0f2aefcf883d8550aa754

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe
Filesize
163KB

MD5
586da2e0ad71d1b70ab547748d959f5d

SHA1
24656feb9a5b8aada9fa0e1ccf7c7a2ffeb386f4

SHA256
a75aada38042a1b7160491903b4f4a98a6ffb19de8a8366941807460b3d9e124

SHA512
471f2b411c18a633cc67135f8c248ba19ea9079bf84e51022c7feda1d412b5b449519a715d73ef9944d4322132017dc32ae31064ea0326d01ee0e9c7546204db

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe
Filesize
163KB

MD5
74a3e0ea901552dfa24903c261ba6905

SHA1
782b63f00e455d8b794bdf35f589343e0220d534

SHA256
250f99cf4029aa996ff91305da4971822203b09389270aa41a959e66e2230259

SHA512
25398180558783a18565757edc13b15a3676a869fc27c2a5110c4b3cfec832d410d22973d574fe823db2d99421c2760e03d46c1f0b859152d2d19f96f191d790

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe
Filesize
163KB

MD5
3f6a5e40b97dfbc03aa29d50234caa3a

SHA1
ddfe35b84e483a6f087902cc5e4e0078a252518a

SHA256
ba259d25c05b75a560b6eeda9260d5810d3cb67dfa19db6708c98a1421b6d156

SHA512
3743d5a0ba7355e24a0911796372eb3803e426f75906b71312e06417e3deb7f124ed65f4e20980f264ac2db8ead01902bade893f490b0f49b64000cd282733f7

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe
Filesize
163KB

MD5
7d9fb2aa95739d7676bdc270a70d1bf5

SHA1
0bb061b3305cf13c75dd0e57e188b228509430de

SHA256
7c8681fbb28807729a5a47f2e4a7b8d6a7ba91547cbc0bc2b4513b223688e5c8

SHA512
7b75073bd925be781674b2a5b5d9602ecc2c71bb1688fef934a188d0d0ce95fbe89405976f0ea05709ce83adeae8dfaaedaa67e604978250d27625a8a8a84824

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe
Filesize
163KB

MD5
cd78bf159e64c0067dd444fdf547a5e9

SHA1
864d238c405145de5092e8cad1b17fb3b26f4e3f

SHA256
3576f2c0ac70c245d61a340a0bfbfb0eb255debac7d07c8a2c6c57fed4d59035

SHA512
5ae89b84cd16e0dbf8515ca6a56a6713ec99dfd3b8c521a81d01f2737be7216c71b2709d0bad6594f12a9e8b372d7b0e6c6c9a6667f596bc84e1cd13237658cb

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe
Filesize
163KB

MD5
1975476aaf57c17176c6dd4df16ec06b

SHA1
afe5a42beffc3aeb156341438f7f64c53ef05113

SHA256
f80c49be222a28cef5eebe1c66d489dca846b561aaf1b6e5af047afeb8de5c38

SHA512
6d7643b49187ec73303ad7d86f46ba4ec89dda36018379972698e5fe5a3ebea9ebad45092905153f4ce646bedaaaaf05096e1b785812cb5870bd19824abb0f9a

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe
Filesize
163KB

MD5
868c3d21af099c3eaf855048c0373a51

SHA1
50b355dc0fec2c531b57b729d7bbb73d4758ccdf

SHA256
34279b2e24df20f9ed99eab021104d76377363dab9319e13087d97c650ea26b0

SHA512
815fa4945edc3cd149dedb4f7e4d62e43b1dd66003bbb5b77e78964b1bc30b752bd626ce5bf81d8bb4cece67e2b62a260eae0d5e5fabd0309c4b78242ac56783

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe
Filesize
163KB

MD5
05bce293c2319c76c90ce486b4139086

SHA1
a9245800d2ebd5d6c65d0e63e806a2b600b26cc4

SHA256
dce620ec340a1263bc018d7adcf6b9f9edbe73f714e4543cc08cd9522d078cd6

SHA512
e50d0525b133daafdb15eea2449b01b236a59f4814797bccfe54743a518b8356da049978b93aec56df3b074912976510c5a90575d34728c1a31cd0cd1034e55a

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe
Filesize
163KB

MD5
0b596378d3ed8bc15a9d0e6897394bfe

SHA1
cd1e25aa54506a39559ebbfbd131092f2452375c

SHA256
eb5469ea9394db2dccea396b8e9e76a6dec3257af13787043f6e9fa84b8847f7

SHA512
f909c40e805e0bc075aed7a223edb91760090652066f28d4148245ca485c86e656f5eb269be0eeded0bcb96b337866476dd7e5a024c39d90ce34e4f1e96d1683

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe
Filesize
163KB

MD5
5a11dcca7022018fb6ea51136b23beff

SHA1
4f1fb5794a3802704af59733ca7ee91223e0b097

SHA256
db33d4a52dd2ed2e0698517948a863b0eb442f4b17673f45ba56934d5aac26ac

SHA512
113471c402cd879f6434246387614219e616cc63150fb8d200d86dd4261b5da06d6ae06d3ed6062aec25b0e4f5674cadc059dd9f356106f45a86d22005f2fdce

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe
Filesize
163KB

MD5
b1f372fc2d2f7638f0abff94b0559600

SHA1
570812436da169e2325aaddad940e29aa932c6c3

SHA256
57aa5b19969312ee64dfada111704131c276244c62fcd7cf94dac44689ba3a93

SHA512
4aecb6afb05ffe92c1d6f81bc818787619ab28d07892c312542168d2b79bcf58eeb0d00bed8558cde2f293c2015cd5f4e77ede9795cbb6ea4e6ce96fcd772336

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe
Filesize
163KB

MD5
6722d593df5c469ca1b900677c52b3f0

SHA1
f47f451ec79ff16a6de1abe5e57ecdc8275fffaf

SHA256
109b3fef673e85649b412e4ed7994dc749b06d66f78ba4b1db46156b61c5950a

SHA512
8b6b1e98e1931d0368397dc2c71bd4085716a78bfc5b19787adb665399ea01439f7fe7ee4dbcfd35f08ca0f2e303da4b336ae0c4e7b576779e01f2ff1cfd937c

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
163KB

MD5
54f2155af218471633d3ed381a2b1f1c

SHA1
29ce1d316fe0f5f19a9425c05bad0679343c7dcd

SHA256
644e7fd1dd120e544f3aff63f90a442bd1a40c41fb2864c94b25f437679eb6b3

SHA512
5ce7381fce21db1544f3b65973d86c79991628bd4bdad84c47fcb985bbbd9ecdf02eedf4d93adb68043a58d3fcb69c7ea55db11f5df770399fc18c3bf9d5e707

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe
Filesize
163KB

MD5
3cd837e3b368d8ae6676d88daf7cf8a1

SHA1
4e62af2fbaf3dee9b95edd6ffc3bf6b2f5165314

SHA256
a1da7f88b818e9919d3e13d5793e9bf70c6e48e3abf5974a53fbf201d8729b76

SHA512
628ed363b9843da8488130e11c8411df9229e17610d36cc17ef934293a3c8a5f2a97f7ab2fbb1f862ca27481ce998e21395738c7990b900d1ae76bb909ae42a6

Download Submit
\Windows\SysWOW64\Ebinic32.exe
Filesize
163KB

MD5
fddbd2466be8993485f233366f138ed8

SHA1
0267e093e5b2bcf81f4a9447394119cb3ff4319f

SHA256
af1b0656fb5f89934ca6e99c1493e716da41ded3a4f1894b680b2f9e581062b0

SHA512
ae65e2b71a4f4552abf7e55c67438a175eadadb7ca83c929415feefb3c6a57a7d57bc8ec866c533c783f8e5d25f3b53c2f0521124854792fa42c48c2acce1c34

Download Submit
\Windows\SysWOW64\Ecpgmhai.exe
Filesize
163KB

MD5
3df6618ab1758e9a9e088410ce33b6b1

SHA1
f1164a2aebafb55dabbfa0d7e98bf467ff8e3c5d

SHA256
23a1b89b00b3d09a445672836ff0d83a80e421fdb071ba2d2caff228ed78ca35

SHA512
b8f6c55b20042fd7073c3095e19ddf7f24fb64231a8f694f3715516ab26f1607b9345ba63a68f3c061d54562063cbe120125101a147b15c7217d4346c374a97c

Download Submit
\Windows\SysWOW64\Egamfkdh.exe
Filesize
163KB

MD5
e6b0d289022299428dcda2132b694745

SHA1
da1ae57c39478568664e266848c511703ffef3cf

SHA256
b9174854ce0192b41d140de4640d57a33caa248836874df68dcc2933eaa570be

SHA512
91ac3339f831daa018b54a43f1923b8f1899228607a5639f8945a2f80a551c54640431e750a256d30c5ca0d8febef960c091122cc5819fa9d01e0c2d065a7539

Download Submit
\Windows\SysWOW64\Egdilkbf.exe
Filesize
163KB

MD5
543118f002c32991a0bad8d46d5b9c13

SHA1
1312d6f2a5a9f318827caeb3d64467f525027654

SHA256
cb49f0a1a37e639240a8a79c89493dd1b10eb926d082889492b1794675766466

SHA512
9596eb17807bb395b47a81f1d7a593ae2cbc9087e0b282272522de6248d91385f8536e84938542cac72cd3e967b32720c28868ecb980d21f787015b1c6fb2be0

Download Submit
\Windows\SysWOW64\Enkece32.exe
Filesize
163KB

MD5
9f2e7b27f0f722dde3d87b5318ec3eb3

SHA1
c0644e18698c9ad5356806647035a68729e2acae

SHA256
a14b0c068b48cfe45adfb78b3eb3db881d100bbc9f2a4805a747d1dcec303e15

SHA512
47412040b40104b76a98aa7876719c5dd2ea35ed22260daf068464874f938eae159516ec082ebc33a3e7823514838b60b3a449569f04aa7bc1ecbb36253b07f6

Download Submit
\Windows\SysWOW64\Ffkcbgek.exe
Filesize
163KB

MD5
ffe4e18704833f4f836692b9dc26bee0

SHA1
f276ec8de824e9d248b5a560ad9c4b69d54e0e3f

SHA256
cac5d6137ff12e491f88bbb5bab8e190adf10410dd32a88aac64807c31466277

SHA512
3db2c3de77b5a48d0f1db8f788e9f3551e1432947dd9a1919178fb6c1e378d80c8004dc95b8f4bd4bf590f27fc4146416c8a46c7758187b6330e22f57c767839

Download Submit
\Windows\SysWOW64\Ffnphf32.exe
Filesize
163KB

MD5
fc62f1f73a651393da41431b3177b197

SHA1
91fa58562a36fc936abe29ca4f9a794de146b5de

SHA256
93516583a799bef080c1b170cf2371598a586e82a2e05d0d323e25cc019d6cb4

SHA512
a8219e85069589725e2c668e7d0401fb711e0150f255cdcc550e852f4c600f2d3699429367f50ac0ed989b6b79fd4851cfa51ebfae641ebbb5aaa1c933093c45

Download Submit
\Windows\SysWOW64\Fhffaj32.exe
Filesize
163KB

MD5
fb2aafa4ab63c1d2465322d469a22f90

SHA1
1b77c47fee96b97e1e5d49ee020b39fd806a6a8d

SHA256
760932bfeba97ba39cb972a0dad167fa1ae311c00e7d62b1cf24f0a9dc67f6f8

SHA512
1f8fea09c8e43014b0a603a8c77c01b87f10c81aab3203d5967f485de3e618321f0134a52ec7814c17f9800f0e69bd69dc19424983d45cb010b6e5b9a2df8e5d

Download Submit
\Windows\SysWOW64\Fiaeoang.exe
Filesize
163KB

MD5
550f58c1cf3c565af19f9d7506ed3f5a

SHA1
f5eb4effbb3d4e44a2c4210e339b3720af6fec73

SHA256
b4c9c68fcd41c030f57eecaa67d34a50f308e63e9b8a14c570afd44a493a7c74

SHA512
b6b6af9bc4c07db958821027e641c64aa4f84fdbbefc3ed3808331cb5d2fdfddc2787a3a23e9004f81065c48b145f2f1eda4dced2a091b680fdb27f84291a6d3

Download Submit
\Windows\SysWOW64\Fjlhneio.exe
Filesize
163KB

MD5
b9251196bda4d5f809fedd131ef633d9

SHA1
23be6f4adc2c530376696a2c54d0c0b66a357e21

SHA256
9e12eb7b3ae750c3e09299e9bf4691310694951f34a8b139afb24eb46f409b73

SHA512
893fd3ee02ce04d2f4ae4bfdec6ec16c4b103c36ae4cdc0a9917227bef027450b774c43ecda0770d7751b8b11b339586d8816fa2639bac1106c7f378f13b1752

Download Submit
\Windows\SysWOW64\Fmcoja32.exe
Filesize
163KB

MD5
ea91a06728a38fbf95099b24f0afe64e

SHA1
ea3fe172b2fae3b668a264be2ce404324807bafc

SHA256
ebcfb1aa0f606758579e9cdd38b14f363976710c614bce289fc692e9b7a58fd2

SHA512
55e9b327b6697615045cd5661fbe591d94627359788321e637f4d136fa5afd630d6703b1113aafd4382bf19fe05718e5527e1934cae4d2a0e21322d28254957c

Download Submit
\Windows\SysWOW64\Fmjejphb.exe
Filesize
163KB

MD5
9ab2de78949f1df6a9335a896e2785c2

SHA1
1a3fccada1b431b8b0add60c5af6e52063fa2748

SHA256
7868fd29baba679b3e90f7f9524bee5d0241392cabb81ab7f6a86a407825ba82

SHA512
164a054e6e32fb3c0212612947becdf054e064284ce77dc6c09d02d34426d2426eff30211eecd2656176a92f5c53e47cd093ccf95b70f8322ef521dac5d59f27

Download Submit
\Windows\SysWOW64\Fnbkddem.exe
Filesize
163KB

MD5
bb98b03aa85f9c978d3c91835cf6caf5

SHA1
2a1889b4902d52cd1e3dceb27f18dd6bfbbce65e

SHA256
1cd906fe1d433b06ab359c0e34857104cd59468577fcd7629bf93583e7b3765b

SHA512
e048770dba3d4d564f6546ba21284704248084a3dd8bb0158897f374a37a110b3970ebb71dd673348c223c0c446259561bb164c5982fdd97f8f0d196780d1260

Download Submit
\Windows\SysWOW64\Gonnhhln.exe
Filesize
163KB

MD5
20371b824991b00fbabd535d5be01658

SHA1
eb6db6fd145ae5ed7bdde5ce45d73e359983b479

SHA256
94819977f260d99b5431bd24f168cd09ecc51229de6d54c936501e73c456928d

SHA512
4f1377d8212bff50092f5faa6c30ef33f9bdf1a0cced11a4c3eb8b52b31617cda9861065351fd60bf5cd04e5a37bb9518c1d9887f745a068c0b048f8bc02f583

Download Submit
memory/484-198-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/484-211-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/484-210-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/484-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/496-246-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/496-236-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/496-245-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/760-227-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/760-228-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/760-214-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/888-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/888-87-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/888-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/948-260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/948-267-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/948-268-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1328-278-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1328-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1328-279-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1348-256-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1348-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-257-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1392-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1392-196-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1392-536-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1520-430-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-328-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1564-332-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1608-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1608-234-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/1608-235-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/1740-311-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1740-310-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1800-296-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-300-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1800-301-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1948-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-512-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-6-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2124-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-352-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2148-353-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2156-158-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2156-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2156-530-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2452-510-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2452-25-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/2452-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2492-139-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2492-131-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2492-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2504-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2504-290-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2504-289-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2588-532-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2604-522-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2604-99-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2612-342-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2612-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-375-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2664-374-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2664-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-182-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2748-380-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2748-385-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2788-363-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2788-367-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2788-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-61-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2832-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2832-395-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2832-396-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2836-518-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2852-417-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2852-418-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2852-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-321-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2892-324-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2892-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2900-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2900-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-429-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/2972-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-428-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/3000-397-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-403-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/3000-407-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/3008-526-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-125-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads