eb230ef0844f3d199d2d8df1c2455d9676dd9438e758c8a34f9221d676d1b54a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Size

96KB
MD5

16b41ab7006fc41eafbd7e8e0ee91270
SHA1

d60cb6e92d6ed916a9c888e8f76ce73cf2640927
SHA256

eb230ef0844f3d199d2d8df1c2455d9676dd9438e758c8a34f9221d676d1b54a
SHA512

791b9f09ad546253edb940ae190e82e3c44ac5de5f2c650c1b180bada798080f1e207b40c4963808476fcd3d31bab5690947977f0b7758739e2b99c70f23e43c
SSDEEP

1536:keXrBSKLNybnLiSitzu/nMQ1WJinH4ARQ+jTR5R45WtqV9R2R462izMg3R7ih9:ksuCtzuoJCje+3HrtG9MW3+3l29

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe

Executes dropped EXE 39 IoCs

pid	Process
2088	Elmigj32.exe
2560	Eajaoq32.exe
2584	Ejbfhfaj.exe
2616	Fehjeo32.exe
2624	Fjdbnf32.exe
2532	Fhhcgj32.exe
2348	Fjgoce32.exe
2640	Fmekoalh.exe
1568	Ffnphf32.exe
1516	Filldb32.exe
1536	Fdapak32.exe
844	Fioija32.exe
752	Flmefm32.exe
1156	Feeiob32.exe
2828	Gpknlk32.exe
1960	Gegfdb32.exe
1152	Gpmjak32.exe
696	Gbkgnfbd.exe
2872	Gieojq32.exe
1880	Gaqcoc32.exe
1012	Gdopkn32.exe
880	Gmgdddmq.exe
1836	Geolea32.exe
1700	Gogangdc.exe
1888	Gaemjbcg.exe
2900	Gphmeo32.exe
1476	Hmlnoc32.exe
2688	Hicodd32.exe
2732	Hpmgqnfl.exe
2672	Hnagjbdf.exe
2484	Hpocfncj.exe
2452	Hobcak32.exe
2944	Hhjhkq32.exe
2524	Hpapln32.exe
2556	Hjjddchg.exe
1624	Hhmepp32.exe
1556	Iaeiieeb.exe
1492	Iknnbklc.exe
584	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2972	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
2972	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
2088	Elmigj32.exe
2088	Elmigj32.exe
2560	Eajaoq32.exe
2560	Eajaoq32.exe
2584	Ejbfhfaj.exe
2584	Ejbfhfaj.exe
2616	Fehjeo32.exe
2616	Fehjeo32.exe
2624	Fjdbnf32.exe
2624	Fjdbnf32.exe
2532	Fhhcgj32.exe
2532	Fhhcgj32.exe
2348	Fjgoce32.exe
2348	Fjgoce32.exe
2640	Fmekoalh.exe
2640	Fmekoalh.exe
1568	Ffnphf32.exe
1568	Ffnphf32.exe
1516	Filldb32.exe
1516	Filldb32.exe
1536	Fdapak32.exe
1536	Fdapak32.exe
844	Fioija32.exe
844	Fioija32.exe
752	Flmefm32.exe
752	Flmefm32.exe
1156	Feeiob32.exe
1156	Feeiob32.exe
2828	Gpknlk32.exe
2828	Gpknlk32.exe
1960	Gegfdb32.exe
1960	Gegfdb32.exe
1152	Gpmjak32.exe
1152	Gpmjak32.exe
696	Gbkgnfbd.exe
696	Gbkgnfbd.exe
2872	Gieojq32.exe
2872	Gieojq32.exe
1880	Gaqcoc32.exe
1880	Gaqcoc32.exe
1012	Gdopkn32.exe
1012	Gdopkn32.exe
880	Gmgdddmq.exe
880	Gmgdddmq.exe
1836	Geolea32.exe
1836	Geolea32.exe
1700	Gogangdc.exe
1700	Gogangdc.exe
1888	Gaemjbcg.exe
1888	Gaemjbcg.exe
2900	Gphmeo32.exe
2900	Gphmeo32.exe
1476	Hmlnoc32.exe
1476	Hmlnoc32.exe
2688	Hicodd32.exe
2688	Hicodd32.exe
2732	Hpmgqnfl.exe
2732	Hpmgqnfl.exe
2672	Hnagjbdf.exe
2672	Hnagjbdf.exe
2484	Hpocfncj.exe
2484	Hpocfncj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Fhhcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Fdapak32.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Fjdbnf32.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Nopodm32.dll	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Fjgoce32.exe	Fhhcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Ejbfhfaj.exe	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Filldb32.exe	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Efjcibje.dll	Elmigj32.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Elmigj32.exe	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Eajaoq32.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hmlnoc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
692	584	WerFault.exe	66

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll"	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Filldb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2088	2972	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2088	2972	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2088	2972	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2088	2972	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe	28
PID 2088 wrote to memory of 2560	2088	Elmigj32.exe	29
PID 2088 wrote to memory of 2560	2088	Elmigj32.exe	29
PID 2088 wrote to memory of 2560	2088	Elmigj32.exe	29
PID 2088 wrote to memory of 2560	2088	Elmigj32.exe	29
PID 2560 wrote to memory of 2584	2560	Eajaoq32.exe	30
PID 2560 wrote to memory of 2584	2560	Eajaoq32.exe	30
PID 2560 wrote to memory of 2584	2560	Eajaoq32.exe	30
PID 2560 wrote to memory of 2584	2560	Eajaoq32.exe	30
PID 2584 wrote to memory of 2616	2584	Ejbfhfaj.exe	31
PID 2584 wrote to memory of 2616	2584	Ejbfhfaj.exe	31
PID 2584 wrote to memory of 2616	2584	Ejbfhfaj.exe	31
PID 2584 wrote to memory of 2616	2584	Ejbfhfaj.exe	31
PID 2616 wrote to memory of 2624	2616	Fehjeo32.exe	32
PID 2616 wrote to memory of 2624	2616	Fehjeo32.exe	32
PID 2616 wrote to memory of 2624	2616	Fehjeo32.exe	32
PID 2616 wrote to memory of 2624	2616	Fehjeo32.exe	32
PID 2624 wrote to memory of 2532	2624	Fjdbnf32.exe	33
PID 2624 wrote to memory of 2532	2624	Fjdbnf32.exe	33
PID 2624 wrote to memory of 2532	2624	Fjdbnf32.exe	33
PID 2624 wrote to memory of 2532	2624	Fjdbnf32.exe	33
PID 2532 wrote to memory of 2348	2532	Fhhcgj32.exe	34
PID 2532 wrote to memory of 2348	2532	Fhhcgj32.exe	34
PID 2532 wrote to memory of 2348	2532	Fhhcgj32.exe	34
PID 2532 wrote to memory of 2348	2532	Fhhcgj32.exe	34
PID 2348 wrote to memory of 2640	2348	Fjgoce32.exe	35
PID 2348 wrote to memory of 2640	2348	Fjgoce32.exe	35
PID 2348 wrote to memory of 2640	2348	Fjgoce32.exe	35
PID 2348 wrote to memory of 2640	2348	Fjgoce32.exe	35
PID 2640 wrote to memory of 1568	2640	Fmekoalh.exe	36
PID 2640 wrote to memory of 1568	2640	Fmekoalh.exe	36
PID 2640 wrote to memory of 1568	2640	Fmekoalh.exe	36
PID 2640 wrote to memory of 1568	2640	Fmekoalh.exe	36
PID 1568 wrote to memory of 1516	1568	Ffnphf32.exe	37
PID 1568 wrote to memory of 1516	1568	Ffnphf32.exe	37
PID 1568 wrote to memory of 1516	1568	Ffnphf32.exe	37
PID 1568 wrote to memory of 1516	1568	Ffnphf32.exe	37
PID 1516 wrote to memory of 1536	1516	Filldb32.exe	38
PID 1516 wrote to memory of 1536	1516	Filldb32.exe	38
PID 1516 wrote to memory of 1536	1516	Filldb32.exe	38
PID 1516 wrote to memory of 1536	1516	Filldb32.exe	38
PID 1536 wrote to memory of 844	1536	Fdapak32.exe	39
PID 1536 wrote to memory of 844	1536	Fdapak32.exe	39
PID 1536 wrote to memory of 844	1536	Fdapak32.exe	39
PID 1536 wrote to memory of 844	1536	Fdapak32.exe	39
PID 844 wrote to memory of 752	844	Fioija32.exe	40
PID 844 wrote to memory of 752	844	Fioija32.exe	40
PID 844 wrote to memory of 752	844	Fioija32.exe	40
PID 844 wrote to memory of 752	844	Fioija32.exe	40
PID 752 wrote to memory of 1156	752	Flmefm32.exe	41
PID 752 wrote to memory of 1156	752	Flmefm32.exe	41
PID 752 wrote to memory of 1156	752	Flmefm32.exe	41
PID 752 wrote to memory of 1156	752	Flmefm32.exe	41
PID 1156 wrote to memory of 2828	1156	Feeiob32.exe	42
PID 1156 wrote to memory of 2828	1156	Feeiob32.exe	42
PID 1156 wrote to memory of 2828	1156	Feeiob32.exe	42
PID 1156 wrote to memory of 2828	1156	Feeiob32.exe	42
PID 2828 wrote to memory of 1960	2828	Gpknlk32.exe	43
PID 2828 wrote to memory of 1960	2828	Gpknlk32.exe	43
PID 2828 wrote to memory of 1960	2828	Gpknlk32.exe	43
PID 2828 wrote to memory of 1960	2828	Gpknlk32.exe	43

C:\Users\Admin\AppData\Local\Temp\16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\Elmigj32.exe
  C:\Windows\system32\Elmigj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Eajaoq32.exe
    C:\Windows\system32\Eajaoq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\Ejbfhfaj.exe
      C:\Windows\system32\Ejbfhfaj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\Fjdbnf32.exe
        
        C:\Windows\system32\Fjdbnf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Fhhcgj32.exe
        
        C:\Windows\system32\Fhhcgj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Fmekoalh.exe
        
        C:\Windows\system32\Fmekoalh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Filldb32.exe
        
        C:\Windows\system32\Filldb32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        40⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 140
        41⤵
        Program crash
        
        PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dchfknpg.dll

Filesize
7KB

MD5
869834ea49c40c131bf29b9f802cd147

SHA1
aac46bc47a7fb7f008745a5ab8680e50028017f9

SHA256
6f6f2ad934ac71beecd182926925a9b602bed308320ebf8e4d48074866afbc88

SHA512
602f4327fe46bad0370db3cab136e2e1ef86e4ae5c65746a822b6e7014daead4747c4e91756c7f252654550d9202dba5f73b52ad1c32bacbc2cf98602166782b

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
96KB

MD5
38ea17c0d4eea365742c2c545782847b

SHA1
f43f08df5c32c608124152a222d6d6ab4c6f7826

SHA256
6dc2da521029b6ff854392660c51318403e5ccf7d81fc0fab18f9c979ca3956d

SHA512
c4ee2a4edb12d2ede69ba05ac30b906624646c258bcc6a1b7c6ba81d18767e28e5386daf560e587bbfdd2358718071c6394278cf2f94067e6108e9c068952504

Download Submit
C:\Windows\SysWOW64\Fmekoalh.exe

Filesize
96KB

MD5
8d217014a24bb9bab9269cba311d1534

SHA1
f978119e1146e73afc119cc580cf06a443f97bb1

SHA256
4afe260ef11522010b789d427b1c56a32193691d2d41aad6a9f6def9050b43a9

SHA512
08f8e0bee9c97e893cd47aae6fc59dd6c6707b4c576a4ddd4aaaed249bc45b350af08609508457faf827d7ea4003cf317832e4f62832b8fddb5aa7ccae785418

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
96KB

MD5
70c39011375753b78acfea26efeb9613

SHA1
ff19fe43c764595b916b10a971a060bebd4d2ba9

SHA256
46781e81586ef41926e8dd0c786142f747f6cf68cc7e1e4c46626562fb393308

SHA512
f040547777f6ce291b9eb8e03b79597562ee7c2dc9ad7487174f87cade3c167b89ce423a38dcef8c9647543083b80a5aaff59038565b43cf2266aae805f1d945

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
96KB

MD5
b9a32656537a292e059e65ec914221f4

SHA1
96a67e731c5fc9945b8454b1392ceb6cc3cab1ef

SHA256
a8785abe5979175a6438c6e8895b1cb74adb6ccd1300c002602c81c40d009569

SHA512
569f75010180dcf4a75352bb6c45cc0985cfe77e921ee972ee923d4108df075dd4359a0d4e4c005a0a6c7fd3820b76522ad54925ae09b35d54992121aa95870a

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
96KB

MD5
c435ed36c0a49d404691d50c5a9818ce

SHA1
44a4ce265921358633a8c35700edfc1dab3584bf

SHA256
26562bad649fe91f2a4336690681a1b33db16c02143618f5375cdd7e1b952cc4

SHA512
f3cba58d9ae24aa12adcf92347e843e4c328546cb4e4464cde42775a7955fede34f4173b76193ad5280527204d962f8c043ab83e421283ca894b10be7db2be2b

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
96KB

MD5
64b639ceed1815277a8499a452d09ec4

SHA1
cfba40a17318e97f0fe3c5faaafb6752e98df1f5

SHA256
f2c933f76234f41a61ddf62ee7a756c243083f6b814f63a2f9a0bcc2e8913f05

SHA512
8399f78a713eae1f47d20fe73bc1a014eee4965428dbbf11a5a4eb95611307cc02c3921ef1008b8d1eab9de2a74dd2898c3da5efb490e85f26248112539cd7b0

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
96KB

MD5
1eeb345f038ed27426a6fc290b209011

SHA1
b55b5b1ff65858cc8ee9478ad3b7d4fbfa9483d9

SHA256
33b65abbc2e141796dac9af26e819c7611923022d7862d86f76429d30b21b635

SHA512
738d19eb8d31be5f1f6a9c494f3c1b9c893e4380f52f1d03fd18e446c30c4f18be12782c1a1ae95b1d35ee56cbcddfec717bd3ef2523516a1d4ddfdb75e4d59b

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
96KB

MD5
a0f44402ea098d3a15ee65e42b9772fa

SHA1
878a7a92465fc3cd8df68d605976fd53f1ea26cb

SHA256
58ada1d63732d94b7e3344ff2d8a782eede685c9bf61c6539f5a2f563fd8ea6f

SHA512
e576021226e5d262783bf20fae37dfc537e22a9e94e1c10d9f86140ecb29e221a9b173ae31705f844ec7d7feed05f41c92ae9628b2173af9fe2cddfb9e1ff9e1

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
96KB

MD5
edfc57245bc06e1e69bbfc712f51e2f6

SHA1
23fe62b9ccde338ad369d973815e9f6d2772ecd6

SHA256
8abcd12ec9e01e4665527df7ea0b501864606a0bc0866e8b530fde7768d6f51c

SHA512
d3af142052d5919e331b36a9bd55a387f1454daabe42427c028092def7c0e761da74509d5823c77276aab72f3566e24b274d4f827ef0b5deabe4b173dee873d2

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
96KB

MD5
adfdc7b5fee0685518b240a141245448

SHA1
25a009781f0f333a92f8ec1124646196468c5a2d

SHA256
cad14cd63b35a2b289e285ad249eb9974f7d9ed642e6e1f0b0a006d5f32d07d9

SHA512
5a199ec23fb38b77fe30e8e54ddd035fe567b30e3e12fb0d803fb3d273f7b6badc91e3eaf52601528643c14c4d2c622862b0359e469e9b1bd5bab10004e76f61

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
96KB

MD5
d247fb83d65260b0cef7b8a085fae922

SHA1
cf010b89b60b146e5c4001918f91ac8d5956bb0e

SHA256
a586af3c8e1e117b755091e6aacdffe8d1fbd88ce94a78e6627419e49c249d7b

SHA512
f2fc642b40e0ff6c799dba1000a96189ad7accf8734e31c658bb993f14c10f2958d6d8cd19e05ba0b9b2d34351c1322bdda85e4959458059ae5b23b7798f7e95

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
96KB

MD5
e555d37c2a844cf179303dfe096c9d5e

SHA1
17ba877905eb605671a5d14b84e317df076d247a

SHA256
0ac3217fb8b2c50235cd04655c335ea10d742eecc4cfcc4c96e464d1bd8d7103

SHA512
131d52d5d779690344582b8c014b136757b881ec7987de0694caa504aba42fe8f15908b09d6a78a151bfabe3e00486093a42eb0c48b3bd1ba99d16c4da15251b

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
96KB

MD5
5d814c5f1f866481aa8dd7a33a890f34

SHA1
e9f820894d8f7c778f7682d021608b8eb127337d

SHA256
6188674b7d971c6b9d6540ff16dfa14ac1b56d6e9a3c134bd12fdd96850514c8

SHA512
2fa3bc30f902b496162eb9c35fd1ed5148c12138ff6b1312c2dc98f0d011141fa108c57d93202987bd9f6483cfa78235614ecba05eff0628b393b2721c10be8a

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
96KB

MD5
440966118d1229149ddcedefd8222512

SHA1
420e6a2f185c3014ff5c71a5cb43b2bcc6037a4e

SHA256
51cdfc16ae3e0ca1bd071f54c2b973ad9ae1a5c6e0639ab03c7d9bc106f31482

SHA512
872c0f34d4e7dabd12ff69ab3eb186bcd72988c3f534613a4184dafdd0bb76ac4c7c3ebfd53dab8401109e62eec28df003ff502b4a6a1592e6e6535dbb563df4

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
96KB

MD5
77d0e74de1a76cc889fc9d73fb928c3c

SHA1
b71e68f26a45eb9322f0818be8aa715e761e5501

SHA256
ac2fb123742c45488191960381733304b8124bcc00b29922227a506cb97fdd8c

SHA512
df4241deba27a2405214733853b1594e959c71777388ca664e9285c2d2094954998d7fe97b0f5ce9cfb5a5c2e9e09bfbd74d829ed742d4981a7bdfc2776b6aed

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
96KB

MD5
3ce2e9741599cb9513f93ac2969615a2

SHA1
64bde14ecf916d207a97d2fb0ca4daf4bdfe0cf2

SHA256
3a7c1fa711e5831867dc0f805481d2c3ded37e79ae0621a5141630067a25475f

SHA512
3979b85714640fd6702b9b1f767294010dd8e6dd47d28611262b9fa043ebeadd7d5cc3b0d822ab5e4d69c0751da33ccfbf7d2c7b9e03d3c1d2b5cff88cd107c6

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
96KB

MD5
519d3fe819013dd6e7d9b5ae46059ba3

SHA1
f788d01983ce98d65937768e2b6c9466ac90fb6b

SHA256
7b11ef7bc0fc1309dfd5333610855c47a4edde477ab97458a084f4430163b6b0

SHA512
569ec8294ac08e23d463653958ceb888596d486b42714da79b515508a266f24d7c175c5b31ae7ba6aaf619ca7b3f10085dd1a4c8cba179f7eb006c92a1d0d762

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
96KB

MD5
0c92466d33b5118c55c8a955d4acb62f

SHA1
0e128ce994b18f465a37dbae80e8a6f205b55cdf

SHA256
a630bd6b4c94d6f4fbd6ff4605ee03364063879663131f7e9a3ba4dbbd6eb4b3

SHA512
33c8511a50ec577d96e5941c8cc3b994b1962d1200c26f5482532c9552664dcd627f03720a7230df86b9118092472d2bbf488f765de23d01cc1bc77535c2a701

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
96KB

MD5
294ca0d56061c4a02b353386a36dd114

SHA1
8b2549f4c8af82082589964ccadc6c1593e19146

SHA256
d68a2155bfe7ec4cbd0100d68bca6c80198038630fbb21e0534241525bf71d96

SHA512
850b32c4ef38eeac35b39b8c9921b96d52e8b6cda9edebc4472fc7905b162f51ffb6beed683949d5bb6d3402e02cd5d0f61686a75cca33b83927fec8e42228aa

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
96KB

MD5
4dd39d1c53b84ec12f6a716d3f0c6514

SHA1
453e05ef5e28848595b7318352ea9c64d0b89176

SHA256
eb746f301ccc9045a115974f730f53446cb51d8617d2a9e4c767e47312f85e77

SHA512
0b2f8a758ba323d4e28a7e9b2c6235ff0a5f8e5ff11f3ac76bf3c3b97c3cf9e0b1b286e4544fd60724c32f45e99771cdf9a98354a93794cb119fcd7bf5c76fe4

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
96KB

MD5
f8da4a46053a2f9a674377fe207a707e

SHA1
44a99fdf262106b2e7047b2e29897bdabd5e9b25

SHA256
8631f218e5b2245e7cfd60952da6044ef30fd3482f59d04fd5024056a24da95f

SHA512
bdea6d8b9754ddbd0098a67b766fa6b73cf61e71d4833b5352ea2baf9f352b7aa9a51730b56e5627bb543bb0421150197c5c2ede5cdda533d46e50656065d85d

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
96KB

MD5
dbcea2b43864e3f04058e8099b9be36e

SHA1
79e9877beab0ca53d0bcce9b20af9945836064c6

SHA256
95ca4136d4648fab500658b6837597516fe5d46a9d9a9882c555098007cef595

SHA512
b3317c857bf30a49f9629d7fed0479db8b78a28b0c5470878c34aa486bbbdd722825a34a52965975ddd3fdd5bf3e5094fe69a99d7bbc288fb076ffa1e9d6d990

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
96KB

MD5
d174da2ba42e8814234449cfc853727f

SHA1
23cf79dda6a651c75ef2a8df214489f81941f0ef

SHA256
e4cfe628c722d4fdba0b8788fd86d4ff21ee0b9686034f4f83d0280fc1e878e5

SHA512
0cc11559248187696fc6a8f448c44622011b04ae0c51d07a11b75f636f7f80205733674f513b97ebf26876b951b9a0955216ad85eb4f0f69735f66e836873e04

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
96KB

MD5
0389a5fcbeb887ec0eac14a54b22c7ab

SHA1
beaf285fecd682e20a08d6ce114b865ba8e15010

SHA256
f32476b3a55009f46e5edf6905f32ee43bfb3c067922913ccaeb6555dadbac49

SHA512
2bc27ee3b96f3a789da61d664465decc6bbb248ff30e2213ffd81d3fbc5267ac85dd377b59780796a23b44a012f3b597144f317105ef1c6d468991058208d4a6

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
96KB

MD5
69ca2b766517b4ddbd94f1816a7e5083

SHA1
0fcdb0df29a8afb35d509f09dde63b346ca493dc

SHA256
3bf004c8eb937240e55304f30785f0a3474e2c3c9f8d69fc2dab4a54e8dc1281

SHA512
49e17338de2c9c1b7feb69808c176107074cabf8b1ccb5f7ff3f78c4aff360251295abc543d0586f212b82a702b4599c6d5c18012fd6936c1e2f4e545781a679

Download Submit
\Windows\SysWOW64\Eajaoq32.exe

Filesize
96KB

MD5
f1bc0216c47d0cd1f4ce1115b9d21d27

SHA1
011ae9c17ec77b85db99719ac531828d2346b027

SHA256
da71ba8273d37689e8445f2f7aea4edbea2efea1e5525b292d76aa18414c1bc4

SHA512
d6c3db7f6df37117fcdd6ffc330fd04deb416b16aca6df98ef804ab08327c3de3d492657d10710caeb141b6a23340f1c1611747f33e94390d7e2e71c0de32763

Download Submit
\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
96KB

MD5
526a71e98bcf97c04c65452a514981cf

SHA1
927d2f1cfe40e10eda14d0a74651c4969ddf766a

SHA256
c4a8427d7010471caca4c23319d8a89d26909630d3d62838c25218f01117219f

SHA512
4b43bff55dd4d230c055037ce4745db8e00f98f144254e18b52e9b3e0450e0f323dd89aaebb8141217652b7b8bf8f2f6c754bb960ecafb9537215af28b21b62b

Download Submit
\Windows\SysWOW64\Elmigj32.exe

Filesize
96KB

MD5
9dc5039fda622d965a6253098d921027

SHA1
916be17fe325d7b2f956a4b6f3d596729bb0a79e

SHA256
f2e2ce8b8ca7a5780cf06fb72c5317c838f225c895e95987bdd1d3d08abdf718

SHA512
c826a12dfcc7a27687be91704e799b3e0e96d7893b268d1030f9231ba7bfd5835d3491c53793e71c8c0cdf4dae01479188276d6c726cfa6c3f1023e27d02b3b8

Download Submit
\Windows\SysWOW64\Fdapak32.exe

Filesize
96KB

MD5
7437c439ad654358fbdb0abcf319615f

SHA1
3a1bc7fb55f9d68e231f824c1659de245c759e5f

SHA256
0429f88ceba756e7a4dcb6f1f5fb217792b4839e3d6aeb25e8018123ee3c9d2f

SHA512
f14aa1aac3bfe1ec8b73c30588c46f954f8ffa944fb9020011387d448bf165b0b3fad921a12ac8e4dcd46c63a359368dc51bec57ee39037404772c4eabcf5b4a

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
96KB

MD5
cfd40b372d72468a73ac85fe60a9571e

SHA1
96f3419e00a75ffe477fe6a16ee2a036ac4d2ecd

SHA256
c882395e00b5671abfb23618c07e9a3dc997027476d1736f18898c2d42abce5a

SHA512
5e5d1fb26dbb343652775dce4784860c71aa7d9e812a5740574ceac1327ec79cc13a6227efa15314a2440a6e82709d174b1722e7e2aed531bc24136894c58d64

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
96KB

MD5
b81653c52be292c7ee5e1938d8e14066

SHA1
b3d83f7ca5cf40999da126e1c7f395bfd036629a

SHA256
eeed4cedc4b171437a0c585f6e9b62cc6fdae1b6927457d1cfcb67a3f603e4a2

SHA512
0658aae61ad52bedd7a1402ecf614e1667bc9fd6f6d1ebe909962576da2a826ab911dd6e68d4471fbd8402d804f6ab95e2a67f8b437d0894a4135541cb6b18e5

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
96KB

MD5
67c4ff283d5bfa108850feb5216067c4

SHA1
8c7a211a4304c7406270b9d453949f4a7dc4fb91

SHA256
6661d6eb6b3cbc99527c941d4d8d052c58eef86b115d57ae250de21612e9d4c0

SHA512
4db15136baab894b1be25c956bd14ddd12dbfc2c296d7a60dbf74d496a8d65fef253b18582a2313362b01f2aac2b3be82cdb0eb1f5a6353b13e831e032dcd507

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
96KB

MD5
57d5e1774c3f1ab67e17202afb5dce46

SHA1
5d63504a340900202cb98a169bcba8da919b2cbb

SHA256
15ef7526cc73b603cf48c9045bbf8f9b19c0e459addc5c21c63aa31296bb217e

SHA512
a8ac875dadf6a71cdafb14387708197a5d94b2a1f826b6e7e6915c4b5234a60ccdd17e629126febad859a2629d9d4897a59364c3c187189788c1a4afde13b536

Download Submit
\Windows\SysWOW64\Filldb32.exe

Filesize
96KB

MD5
ca2c63c22cb4a6792ec2252946e24add

SHA1
103a852ce5562f39d19ad0f672d01d9a4ca86cd4

SHA256
308fdff5bdde2454f067a43949e6a2de3faef78707646c2276c31572e736822c

SHA512
2274c28e2a8cb81c5d15cd917f53e35beccc3a9d604ac0f6546571f3df355ef4437052bf74cbad8bd2cb03903765ce75961df6dda4cac8ca57eade8ebce73f06

Download Submit
\Windows\SysWOW64\Fioija32.exe

Filesize
96KB

MD5
e3b69088aed1d7bf7be20e8988450d5a

SHA1
db3079a550cac502d77ff6c5da548dabd7919020

SHA256
5085152b0c58ac0bb41d606a9632c544ae2bd524f84f358b2e3901bf986c20cd

SHA512
9ef824fb4aaea7368ab4522b29a83e0f95b54cd7883aee746af94854afad476fb55cd091780c2cdbf73dda9c70e61a8b67c362e238ec6b8a4472d3d7416608e4

Download Submit
\Windows\SysWOW64\Fjdbnf32.exe

Filesize
96KB

MD5
dc61bd56f97c98a3a82c305677a43b8d

SHA1
46d3e30eba4c03d01d2ed098a2436f5eaef72a73

SHA256
268564ec5abd8c33895395a9646f6f79bb366e6a716d5838a24e995bf487052c

SHA512
cf9caaf945858692188b08b06e316855e0f7f7ef6d3eade93c022a164b421ec04c7604fd6c8efdf0803029872326f237488898ba203dc1424dfa6ce31e9debf6

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
96KB

MD5
b8f4d09b3c72b7f9326cf48e2ed57381

SHA1
4f15d2d2c212637136c4a982d5e1dae54bd78ae7

SHA256
cf6f98dd3a9fa60ce96951083294c55b89c768bb13e400fbaee20ef88541b0fc

SHA512
39aeddb0e33f816369f9b2535a63872a505397abbc5144a92921b3ddd8396f17d732cceabcfcdd3f78b12d60bd56865d24157c8300bb1957ec83a7e0893b8eca

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
96KB

MD5
2c7680b902938bf7e3bfca1746c7c0d5

SHA1
0d52d2db397aac53d52b8b2bbcd72bb2a0c6b970

SHA256
a487b0d6fb61cb2f6a359731430ea34de2ae4905f73825f6af75f68adbc4835c

SHA512
b0d4611d03e5f6a5fefaeaba71091329eabc0a8ba5ecf6db6b956b789f9239dd961283ef8bb5f076c041628f499bf61099db9f6dc79761d99e0f589746ffc10b

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
96KB

MD5
456ee847480f4415dbf76ef643ed0607

SHA1
0d37634ae9809f28d809e34fa6b9614a52f05aee

SHA256
6a73fe854fad75acf0b5a7889c66e8f75dcc8ad3c784250f432536a05eab0e7f

SHA512
9fea6c72928dc20007ec17bcd77bfded25cfeade7335a14e354495e5019277e9a2a5ccddaff95ffce88991533f888fbeaada2b66adecefa89cf960e5f4fe11a7

Download Submit
memory/584-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/696-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/696-243-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/696-242-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/752-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/844-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-286-0x0000000000350000-0x0000000000391000-memory.dmp

Filesize
260KB

Download
memory/880-287-0x0000000000350000-0x0000000000391000-memory.dmp

Filesize
260KB

Download
memory/880-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-280-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1012-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-275-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1152-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1156-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1476-341-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1476-340-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1476-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-460-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1492-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-470-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1536-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1536-471-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-450-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1556-449-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1568-469-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-438-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1624-439-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1624-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1700-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1700-308-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1700-307-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1836-302-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1836-300-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1880-265-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1880-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-261-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1888-323-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1888-318-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1888-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-106-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2348-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-395-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2452-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-391-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2484-388-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2484-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-387-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2524-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-418-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2524-417-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2532-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-431-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2556-432-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2556-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-463-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-53-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2584-49-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2616-465-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-80-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2624-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-468-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-373-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2688-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-351-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2688-352-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2732-368-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2732-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-367-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2828-215-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2828-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-222-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2872-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-254-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2872-250-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2900-330-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2900-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2900-329-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2944-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-402-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2944-411-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2972-12-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2972-462-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-6-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads