01fd55783c26b891a19012be6725f22c128ca7e91df62a4940bf08afce4d5d3e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
Size

340KB
MD5

1a8049cf0673a10300cc9d92a9c144e0
SHA1

0c5a220839e5aa38018a3effaea8fbc28af07bcd
SHA256

01fd55783c26b891a19012be6725f22c128ca7e91df62a4940bf08afce4d5d3e
SHA512

32700811fa22fbf9879fa3f4ed5bd8f1a6d60398a66a2d6b0a6b882b256948bbc24ca66a3793949ce60f027435c6f90651935ddfbbcaab663a6c4900a87d1a4f
SSDEEP

6144:36HrjIyedZwlNPjLs+H8rtMsQBJyJyymeH:wQyGZwlNPjLYRMsXJvmeH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epieghdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe

Executes dropped EXE 40 IoCs

pid	Process
1824	Dmoipopd.exe
2360	Dqlafm32.exe
2580	Dfijnd32.exe
2804	Ejgcdb32.exe
2464	Ecpgmhai.exe
2700	Emhlfmgj.exe
2208	Enihne32.exe
820	Epieghdk.exe
2724	Eajaoq32.exe
1828	Ebinic32.exe
1816	Fmcoja32.exe
2320	Fnbkddem.exe
596	Fdoclk32.exe
2216	Fjilieka.exe
1784	Facdeo32.exe
1508	Ffpmnf32.exe
2820	Flmefm32.exe
1104	Ffbicfoc.exe
576	Fmlapp32.exe
1716	Gonnhhln.exe
1256	Gopkmhjk.exe
920	Gejcjbah.exe
2288	Gkgkbipp.exe
1316	Gelppaof.exe
2508	Glfhll32.exe
1208	Gmgdddmq.exe
3048	Gogangdc.exe
2560	Gphmeo32.exe
2684	Hgbebiao.exe
2656	Hmlnoc32.exe
2756	Hejoiedd.exe
2484	Hlcgeo32.exe
3052	Hcnpbi32.exe
1648	Hlfdkoin.exe
2628	Henidd32.exe
2232	Hhmepp32.exe
2396	Icbimi32.exe
1260	Ilknfn32.exe
2224	Ioijbj32.exe
1516	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2064	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
2064	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
1824	Dmoipopd.exe
1824	Dmoipopd.exe
2360	Dqlafm32.exe
2360	Dqlafm32.exe
2580	Dfijnd32.exe
2580	Dfijnd32.exe
2804	Ejgcdb32.exe
2804	Ejgcdb32.exe
2464	Ecpgmhai.exe
2464	Ecpgmhai.exe
2700	Emhlfmgj.exe
2700	Emhlfmgj.exe
2208	Enihne32.exe
2208	Enihne32.exe
820	Epieghdk.exe
820	Epieghdk.exe
2724	Eajaoq32.exe
2724	Eajaoq32.exe
1828	Ebinic32.exe
1828	Ebinic32.exe
1816	Fmcoja32.exe
1816	Fmcoja32.exe
2320	Fnbkddem.exe
2320	Fnbkddem.exe
596	Fdoclk32.exe
596	Fdoclk32.exe
2216	Fjilieka.exe
2216	Fjilieka.exe
1784	Facdeo32.exe
1784	Facdeo32.exe
1508	Ffpmnf32.exe
1508	Ffpmnf32.exe
2820	Flmefm32.exe
2820	Flmefm32.exe
1104	Ffbicfoc.exe
1104	Ffbicfoc.exe
576	Fmlapp32.exe
576	Fmlapp32.exe
1716	Gonnhhln.exe
1716	Gonnhhln.exe
1256	Gopkmhjk.exe
1256	Gopkmhjk.exe
920	Gejcjbah.exe
920	Gejcjbah.exe
2288	Gkgkbipp.exe
2288	Gkgkbipp.exe
1316	Gelppaof.exe
1316	Gelppaof.exe
2508	Glfhll32.exe
2508	Glfhll32.exe
1592	Ghmiam32.exe
1592	Ghmiam32.exe
3048	Gogangdc.exe
3048	Gogangdc.exe
2560	Gphmeo32.exe
2560	Gphmeo32.exe
2684	Hgbebiao.exe
2684	Hgbebiao.exe
2656	Hmlnoc32.exe
2656	Hmlnoc32.exe
2756	Hejoiedd.exe
2756	Hejoiedd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Ecpgmhai.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Dcdooi32.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfijnd32.exe	Dqlafm32.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Epieghdk.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Iaeldika.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Epieghdk.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Cgcmfjnn.dll	Dqlafm32.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Emhlfmgj.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Dmoipopd.exe	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Ffpmnf32.exe	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Lghegkoc.dll	Ebinic32.exe
File created	C:\Windows\SysWOW64\Ffpmnf32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gkgkbipp.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ebinic32.exe	Eajaoq32.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Dekpaqgc.dll	Ejgcdb32.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Fjilieka.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fjilieka.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Jfpjfeia.dll	Dmoipopd.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Dqlafm32.exe	Dmoipopd.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	1516	WerFault.exe	68

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epieghdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll"	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1824	2064	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1824	2064	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1824	2064	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1824	2064	1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe	28
PID 1824 wrote to memory of 2360	1824	Dmoipopd.exe	29
PID 1824 wrote to memory of 2360	1824	Dmoipopd.exe	29
PID 1824 wrote to memory of 2360	1824	Dmoipopd.exe	29
PID 1824 wrote to memory of 2360	1824	Dmoipopd.exe	29
PID 2360 wrote to memory of 2580	2360	Dqlafm32.exe	30
PID 2360 wrote to memory of 2580	2360	Dqlafm32.exe	30
PID 2360 wrote to memory of 2580	2360	Dqlafm32.exe	30
PID 2360 wrote to memory of 2580	2360	Dqlafm32.exe	30
PID 2580 wrote to memory of 2804	2580	Dfijnd32.exe	31
PID 2580 wrote to memory of 2804	2580	Dfijnd32.exe	31
PID 2580 wrote to memory of 2804	2580	Dfijnd32.exe	31
PID 2580 wrote to memory of 2804	2580	Dfijnd32.exe	31
PID 2804 wrote to memory of 2464	2804	Ejgcdb32.exe	32
PID 2804 wrote to memory of 2464	2804	Ejgcdb32.exe	32
PID 2804 wrote to memory of 2464	2804	Ejgcdb32.exe	32
PID 2804 wrote to memory of 2464	2804	Ejgcdb32.exe	32
PID 2464 wrote to memory of 2700	2464	Ecpgmhai.exe	33
PID 2464 wrote to memory of 2700	2464	Ecpgmhai.exe	33
PID 2464 wrote to memory of 2700	2464	Ecpgmhai.exe	33
PID 2464 wrote to memory of 2700	2464	Ecpgmhai.exe	33
PID 2700 wrote to memory of 2208	2700	Emhlfmgj.exe	34
PID 2700 wrote to memory of 2208	2700	Emhlfmgj.exe	34
PID 2700 wrote to memory of 2208	2700	Emhlfmgj.exe	34
PID 2700 wrote to memory of 2208	2700	Emhlfmgj.exe	34
PID 2208 wrote to memory of 820	2208	Enihne32.exe	35
PID 2208 wrote to memory of 820	2208	Enihne32.exe	35
PID 2208 wrote to memory of 820	2208	Enihne32.exe	35
PID 2208 wrote to memory of 820	2208	Enihne32.exe	35
PID 820 wrote to memory of 2724	820	Epieghdk.exe	36
PID 820 wrote to memory of 2724	820	Epieghdk.exe	36
PID 820 wrote to memory of 2724	820	Epieghdk.exe	36
PID 820 wrote to memory of 2724	820	Epieghdk.exe	36
PID 2724 wrote to memory of 1828	2724	Eajaoq32.exe	37
PID 2724 wrote to memory of 1828	2724	Eajaoq32.exe	37
PID 2724 wrote to memory of 1828	2724	Eajaoq32.exe	37
PID 2724 wrote to memory of 1828	2724	Eajaoq32.exe	37
PID 1828 wrote to memory of 1816	1828	Ebinic32.exe	38
PID 1828 wrote to memory of 1816	1828	Ebinic32.exe	38
PID 1828 wrote to memory of 1816	1828	Ebinic32.exe	38
PID 1828 wrote to memory of 1816	1828	Ebinic32.exe	38
PID 1816 wrote to memory of 2320	1816	Fmcoja32.exe	39
PID 1816 wrote to memory of 2320	1816	Fmcoja32.exe	39
PID 1816 wrote to memory of 2320	1816	Fmcoja32.exe	39
PID 1816 wrote to memory of 2320	1816	Fmcoja32.exe	39
PID 2320 wrote to memory of 596	2320	Fnbkddem.exe	40
PID 2320 wrote to memory of 596	2320	Fnbkddem.exe	40
PID 2320 wrote to memory of 596	2320	Fnbkddem.exe	40
PID 2320 wrote to memory of 596	2320	Fnbkddem.exe	40
PID 596 wrote to memory of 2216	596	Fdoclk32.exe	41
PID 596 wrote to memory of 2216	596	Fdoclk32.exe	41
PID 596 wrote to memory of 2216	596	Fdoclk32.exe	41
PID 596 wrote to memory of 2216	596	Fdoclk32.exe	41
PID 2216 wrote to memory of 1784	2216	Fjilieka.exe	42
PID 2216 wrote to memory of 1784	2216	Fjilieka.exe	42
PID 2216 wrote to memory of 1784	2216	Fjilieka.exe	42
PID 2216 wrote to memory of 1784	2216	Fjilieka.exe	42
PID 1784 wrote to memory of 1508	1784	Facdeo32.exe	43
PID 1784 wrote to memory of 1508	1784	Facdeo32.exe	43
PID 1784 wrote to memory of 1508	1784	Facdeo32.exe	43
PID 1784 wrote to memory of 1508	1784	Facdeo32.exe	43

C:\Users\Admin\AppData\Local\Temp\1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a8049cf0673a10300cc9d92a9c144e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\Dmoipopd.exe
  C:\Windows\system32\Dmoipopd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\Dqlafm32.exe
    C:\Windows\system32\Dqlafm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\Dfijnd32.exe
      C:\Windows\system32\Dfijnd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\Ejgcdb32.exe
        
        C:\Windows\system32\Ejgcdb32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\Ecpgmhai.exe
        
        C:\Windows\system32\Ecpgmhai.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Emhlfmgj.exe
        
        C:\Windows\system32\Emhlfmgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Epieghdk.exe
        
        C:\Windows\system32\Epieghdk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Eajaoq32.exe
        
        C:\Windows\system32\Eajaoq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Ebinic32.exe
        
        C:\Windows\system32\Ebinic32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Fnbkddem.exe
        
        C:\Windows\system32\Fnbkddem.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Fdoclk32.exe
        
        C:\Windows\system32\Fdoclk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Fjilieka.exe
        
        C:\Windows\system32\Fjilieka.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        42⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 140
        43⤵
        Program crash
        
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Enihne32.exe

Filesize
340KB

MD5
186ea94067a2354befbc178df5108b53

SHA1
7c7717149f9dc8f170d3dcb9a995a1b5a524e473

SHA256
b926ee88722e5d1349a57d11bc7b0bd471382ff9e8ce225dcfc77d7fbe7d4b88

SHA512
9858b4dc6ae21a1d907bfacc4191b9d2655f1212f104248d5d96bef1249df6f4e17b473d796ea6cfd28521085b6bad86af48b678058c2e3012f65f56b93ab418

Download Submit
C:\Windows\SysWOW64\Facdeo32.exe

Filesize
340KB

MD5
264a85f1de07042bd59836de2da4a152

SHA1
a467bac3a8186f4c88e68188217eae888427e6e4

SHA256
ee95e0187e602a1d301c8196fe149d936a39b821151b99102418a734c28557ee

SHA512
2a9f12948ba11043e02a49000cab55489837f3352af0822ee91119c7d51e1fa508db8dfb8b399be8b5c66ee60f8aaf5a96321df5dcab66c9629da61e221596d4

Download Submit
C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
340KB

MD5
b1cee3c48c80100a606470019559292e

SHA1
9ce00d232912020b6cd9eb9cc36db6c06ae39bd4

SHA256
7e985d4f3b4a22abe23ecc494cff9407207199c0fe49ce1dd5fb7a997bd139d5

SHA512
e4ec9c47c173d4914540a80710a8bd8150a965b13a0a9dc1ee5afc6dbefe633861fdfd73ed103c3e9bf071b14071a5636b83e212a7373409c26fab87bd60c0d7

Download Submit
C:\Windows\SysWOW64\Ffpmnf32.exe

Filesize
340KB

MD5
549af6809b65eb64c2eca04087e6105c

SHA1
477f3a24079364612890777ef0cb8fe66990a13f

SHA256
f96280c04bcef34f53cd8be3c7067195d39a2c17af620db195ba57ae934e988b

SHA512
07f59d40b7a86747edb5ca81d67ecf41fba6a761d3edaf2fb7bb800e0606724cd15b743095faa38d3ecae16e62b2c6996b05ca11d4406fb315b2d104e363b2c0

Download Submit
C:\Windows\SysWOW64\Fjilieka.exe

Filesize
340KB

MD5
392fbda71f357ab4944dc0977ccdcf90

SHA1
680c27118a4b5fbdfdbf11a28ea32b48c173a0b6

SHA256
1e865b4e22f9dfac5a279f84d5be4ca2f5abdcaf42f7da930b4c63031dfb3678

SHA512
67079c5393426e1e12931ad4abdee7457cefaa61f77505e2e9276e953986fdf6adb2ead9b63631ca8e57384137b3c9f39c56fcfd517e585d35ce9ca0297f6526

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
340KB

MD5
40f81d2137241108dda49e720486b4dc

SHA1
e3bc10f4f2f53deea4191e052f1dfbdcd0b9ca52

SHA256
7015e32904f81fc7003d18b0cb0e0208df9208cb30acbcd1edce82e19f04f1ef

SHA512
64ec60a7bc51d098a2783fd17fccaba3bdb460dfb27685355ae0e2c0e3c8657edff5cae48fe0a442609210f4ddba8d20b61f6314a7690fdb91ae4545fae61023

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
340KB

MD5
4fd7f8b1f8be28d4b756ff3fa6cde569

SHA1
e22f3a36fd61fc057fc1e133c5de14741d571862

SHA256
8b7c1186662c98662b5f37f3d7125a301fe4028858bf32e6be392668b19d8928

SHA512
77a8e3dd7a02cd39c9e4dcf4c0819de26c3ff9de6a8d9bf03a475ca3f156047074f11b6e34deb96092bbd510568e72b89b7cc3651d04df6d6bdacc26c0826a21

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
340KB

MD5
ca58bf6c75a487172d2a939d3ec0a03b

SHA1
e942e60acffce6ceb491b9900ef5f72a0167f54a

SHA256
584d748557ce67d3364c9b748f4aed2bddf75411c6e3c96cfd4aecaa40403dee

SHA512
adc42e944d583918202f3bd67f0fe1486a5c0e16f94bf89b546e48bd3d54bf33039d51f87f96a53bfe54b56399a8a7eb70a16198c487bc538b55e07e1b7170db

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe

Filesize
340KB

MD5
446ffc0b2d9a56ba8fdc39dead4dabe4

SHA1
fe2275760ad75423014bdb60af0f3a3d6851cb50

SHA256
33108c92fe629fb3c09f78732f388337e0264ec68ec1ab983d4b174bb2f3844f

SHA512
6c3e5d762ceb58620316b2fd053880a92c0376101ded58d61bf0291ba6488abb8880b8c8c566a2e4a36bed058f433b961fae66e9d607e6f08f1cfbe95a2400b8

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe

Filesize
340KB

MD5
fdad3d5d3de359ce7c5710f5abf6d202

SHA1
495a900dec64dd236568e6349e63cdcd4a87b4a5

SHA256
f0dea850f2cc338ef8469e191a64d75848ac08ead29a501aff840122223067cb

SHA512
c6a7d851f7ce8c8f7c76285337472a8c77eb9b4867fbb61c1266899da15255a75691d6308a9b6c746cbe1b2e4c26b533669d14d7d8a8ce32f442df4c854c767b

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
340KB

MD5
2cc63920b793fb0427f72331ffb9f48b

SHA1
eb202eb040bbeec75f4fe532f2ed47a9b015ccb2

SHA256
8f8f0a521e65a518024f039b5dcb698c0266a6dc897db49e5650e3511a3d6e11

SHA512
d7502cab775a0793d2c0753a4d2c2fc362b06f5d39c962ec81a28f62cd5f8b182dcffe43730eb0bdbb2dde498ce50360e1ffd932022ae92d96c07928db0e8a75

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
340KB

MD5
0ccaa7734456c28bfd0a3dcc6e0bf645

SHA1
15f53a31659f4cbf0076c32f3b396c71b7a15231

SHA256
3f7ab7751e824e3072df1207226aff1ee0af2cd0d9eaaef8d2a39b52a29e6df4

SHA512
ba634f3087629c1e162d9e8b11f7adbd0e1f629d9a4ebc78c201d3c8439315916426ebe72f45718caed74b0c8a9c365e92167967813a5bb2a796575fbb63c067

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
340KB

MD5
77820437df62a8837ebd59786b93887e

SHA1
d6275b1fdc632e5a11cc3aa850f436246e259a06

SHA256
4554923eee0d4e8417fcfc69961b58fd1d750230538ef3fb90701aad1cb2d425

SHA512
782f735c9965bcd30357102394ef6069b4d108f7087f8fe17b50596768dcbfbce8e657a28b389e7432c37689b1f7b72427e9a9753716c7eeaefc10b72791e181

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
340KB

MD5
ecb63f191c54485921d341f3725ccd93

SHA1
3eaf58d2b7285b125350622bbe64efed3f4cd666

SHA256
3abc710273f02a6f8769bc7deb8b394c678fa2048e461be54078045d42b32d97

SHA512
3b4e10b87477c0eeeff2c368725d84c020e7b3f6a0f7909f2d5f180943350b1450138e9608be64e44c9a5335a32149537f13b55aa3b6632ffe1ef1e29073320a

Download Submit
C:\Windows\SysWOW64\Gopkmhjk.exe

Filesize
340KB

MD5
a4e34e50341867e138c020f171b1e6ab

SHA1
c2588bdb9b19e90d38996be51deb2998064b12e4

SHA256
c5bfaed7e35b2d05456fe541d9f474404ea293ee90eb06d47272f671da4b7ec1

SHA512
6f7938879a90fc39e0e7025c9ad1f10dc42b8ced846891bb947c734be8d917a4837eeb12a5ed8647efed50a812e99f33e94f4b1684a1cff1070664a1c0d93205

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
340KB

MD5
d71b5903b2fe2466d72239f45a8bb80d

SHA1
6eab96ffd1ffbe27085d26e53dad49b09572fbe4

SHA256
78a927e75eb4b8ffb7ba78145bb8a397b8a73a5ad35315b621085292ce093847

SHA512
ff4442b282eadda72d6740a82ef4e3f738e7c96de2f2dec564e87297a9dfaac6dc8cd0b44726a5cbde6eec1cc68a48b3c22c5de996a9d7b6203491fc91fc4554

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
340KB

MD5
ecda1ae861b9f69853f73c3de5edf794

SHA1
88c953a80762d08cb72fb10c71706e978862f7dc

SHA256
5a3a086f4ec88352a89770542b9efd2b9bbbe4ff2487b8fb9395b23238570331

SHA512
5a8216a75b8fedf0bc98a2b1c9f655864e9b48fd20ce735c424069a390cedba46cd868183c9bcb0a5953e69a1f123880d40187e229bc301f97b61c58bc694bf8

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
340KB

MD5
4d4d0012654543b0856d4bcceba90320

SHA1
837a0fddce793fc42844a79163979d9cb85d0a2f

SHA256
8abf93f76c96b2d6f5c616b49793a61b514c0adec47b480e07e9b88b6f66a891

SHA512
d555e222591b4fe711487bf82ae0547a467c8bc6c53d54bfd1693a1631400dcfb472c8bcfdb6c9e8953856ec76ead72e3226a523664861ecf7c303cf82793a10

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
340KB

MD5
bd7516a4b3cc39870e6dbe4f58ab2a49

SHA1
3d5267026b66d1256c8d52891efbfc16ca652f1d

SHA256
08ea017a944774472f0574314970b627eb3e1a9890c745362e4f1073a3906eb3

SHA512
62fa5ca0938b7c73812eb59f2898f149da2f361a42e391dd74aa23b1714bb662228a3823e6ba0f3b2f578f1a5eac2651aa7daa9d8cc1aaa825eefc3ab3788b62

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
340KB

MD5
c5fc0dec0d772b3590e7b9465e345732

SHA1
4c17c4c514ae3083463cadc8d357e06df5b11d3f

SHA256
c9ad04d901f18189c0741b3aff74dd2081c1be064ee919b4a1ec148c4294137f

SHA512
b8e9a2e2b3b2e2a756a43d87507058d22e63e5ef8c4037cf92d029dd5e6bde720c3a6a09125a8f0ffcb8b3a4f5a1834a24dd21095ace25b15c0c81f3f13d33ff

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
340KB

MD5
a92352933383b348bcc965303f9452aa

SHA1
280be0be8af2423c1830429d66820751d83a3bbc

SHA256
fc0594bfa1d5da88b53269dd29127d1d054641d8b1cbfe33103a9bd6a046ca1c

SHA512
cbeaa0bc721418c1c447999cad2e32a64c44dcc3c84be44e629e6f53252fce814cd1de6843d4a81b431e6922714274d41024192694df81f16938cfa0f4ad8cd7

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
340KB

MD5
ee6a83e7f34c0fe67754b0a31611ddeb

SHA1
516506a557c32e85bd4ad53778e8f39062e119c6

SHA256
38fe923187266e38d29d9e0df81395139fce60305e0c115aaa9684e23218e065

SHA512
f06030911e28109a2d84b36395f28f30833980681ffe0a61eeb4f3b9b8bb3a08ad7e63d9252d3d79bf3ae896b8d673d5971f56e83e6426c9c1da2280fb944f72

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
340KB

MD5
c9ee10b599e2f45f104076babdf2b97e

SHA1
62eac4931f2d5fc96bbbf5bf15f3640870ba0eff

SHA256
5ac1b38ffde9a30cb4cd180dd91d76be96d0a2284935e26e97ed56f3a6d44550

SHA512
21b01f80abe9ff0aa27d8da8bc4e5be2a3a76bdf82145f3bf857d33ff32ba4bc56eca8b9e0b46b4aa2540bc2b018c17992054e61430c46296e9ad33692df0c9e

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
340KB

MD5
8902c466ead788b5b5ce93b9b6298365

SHA1
119f063fffb4283d680d51bcadecaf51b7a0e639

SHA256
1859fb5652b9d037398e326a719c1ca9bc7fe0471f4e5b835b1163938c32e7ff

SHA512
567cd9f88c8f8f335ccbb87edf8e88b90c11465a47d51ea57ea56e017741fe2982977dd4a3e98989e042ca4f91b4d1d5369f62a6696d4fc569e0748a8037c523

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
340KB

MD5
99f2ad85010af4a41442ea20c62ecded

SHA1
a6fe43467a3f92965ae98c9a675a28635a6738c9

SHA256
1e175d64b9f240a718b0eddedf9ac990bc1dbf4772608bbe4a88716ffc778fed

SHA512
036990c6f8cb061e4ea4cb5a19c550d3af9144359a138b75ce6aea134959824b7e90f8056b0d147c28ee44351af431c1946b0141a89aeb65f940c30794ee0f9b

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
340KB

MD5
33ebe054e8c3f2da240cf7f8aac7d3bb

SHA1
9e5e9ca128c2929c0f9f3f04d2d088af810fd842

SHA256
38c13c0aaec5d17794d34d7773a5e9779427dc5305bf7996ad01df6c138bb2a3

SHA512
f601bb9da1e3665806e81baa5ea4bd6d00c42a247b1eb6ab97d9cd752c856a3029bcdf4138a14b60c2d5bb98e9363197dd8604ea5f25d2c03fe3f4dcb3a93fd8

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
340KB

MD5
b61e82e6532cac5fd8b5a46e813b4b3f

SHA1
9cf7d0287d17a935ce4f3a2a732716a374b8be8e

SHA256
319111f451712fc6cf68ea6ca97154e08c7167ea80a49b92907a7bab0598b13e

SHA512
69e5eab04fdab0efe5f854d7932afcb178583bf2dea4e7e96417136bd6e4b109c3d06dc3231c3bca2ffe4fda05daade6eb176aa28e9ae57b17539745703fdfc6

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
340KB

MD5
4c6a0d887bfa5e3cec445265d7c2b8c7

SHA1
712654ae34bee9922b73b1544e2588682eac590b

SHA256
65beb40cdf015be453eff34bbd8db814144140e95681c9addad47e98ab3006b9

SHA512
d51b92e87878432062aded112045399efa4c3fff69907e2e7e2cfcd57ac2b16f93665bd20a661da5f9d2a6fc3dbbbc56ab1dcd217bfcc5df63a04a9df3f0dece

Download Submit
\Windows\SysWOW64\Dfijnd32.exe

Filesize
340KB

MD5
7bb838abd21e06faca713966ef3444ac

SHA1
4a251b977804b4ba8ccdfc3e5014c0ab6c0992d8

SHA256
512efa62b3a7e5b7939d5f01627a4205b61a92394d86851c5622277024752db9

SHA512
fc3143d481981937063aff3cd9e0461f7e30e01fc633d2eed8e2a0d379c816ce705d561f04cf3d566e62b4630b46e1132d64c8285bc1190005087ffbb0644c8e

Download Submit
\Windows\SysWOW64\Dmoipopd.exe

Filesize
340KB

MD5
32ea5ad954ad2351562c935cedd2eb03

SHA1
d19095caa3cd6a4118d54c8260aa465d37317b41

SHA256
493e85c767aef285708fa0c0010e474d0e3bd7d43312c1b487f2deb918431f0e

SHA512
7ebbd6f9f09e7dca7c8af17f0a0037575f300f0b37c9a7a9eaa77de5ce93ee757c893804618b373371723b43102504408e82342a81218ea090c3791f3b097cc7

Download Submit
\Windows\SysWOW64\Dqlafm32.exe

Filesize
340KB

MD5
a9326282690df5cc6b248b5a0074dec2

SHA1
bd7d073bf52155b0940e36c9c3645d772b654761

SHA256
a5a7cf0e00ee3112bd9d5011171a0293d42c2853e853eaeaffdfce8bb2d60fc7

SHA512
fcb2d06614bd16bdf45eb9a8b1ac1167d758363dc96b03d71980cca854fccf93db884018e0dff115f70d15e0b1b8150b33e51031ad240c4c8ad931f59c1a5ae9

Download Submit
\Windows\SysWOW64\Eajaoq32.exe

Filesize
340KB

MD5
cb7c0d6676c02e814b9734d9105a55d4

SHA1
08ccd3c41bf6d64ca154795cdc856e5edc1d3f33

SHA256
89f2c267d7a4b9275b0cea48305881fe7aedd0c1f18bb550d193827589471906

SHA512
c4eb07869c1e20186363a421582a52fd2a4872a80c06f495091be43294bc3b555ddce29b9e30672057abe338b036005ac96d358707a08c7b5269f78542ec0a36

Download Submit
\Windows\SysWOW64\Ebinic32.exe

Filesize
340KB

MD5
ac53ea2dfdd430097cca648f96d92a54

SHA1
985cc00ecc9db410a47409c0a56d2bbaf5915a92

SHA256
856850ec24fe2c0611d43e446bce0bec0415db3f8774971f12a2b9a56c912c7d

SHA512
dbe1d2f1513d74a8c9a58e2d591f95ad7f8a36337a26919cf32c011bdc91482241e3e148a856611dee779814fa79616e6dc66d36887f5d098e156cee3a387c17

Download Submit
\Windows\SysWOW64\Ecpgmhai.exe

Filesize
340KB

MD5
351218acd4ebaad9ee106db4a61ef931

SHA1
9c0c6ded0d6ed21f2c8a17143dd80373ba177cdc

SHA256
76528dfe6d49c4de9a61b533ed68d73c629a51924200d328ba0d470ce484704b

SHA512
be73591610d6530ac7b29348eeaf4bf5a38fcde218d892678d925f06ee4fc1394c29ccfab176cb0619b69a77cf7d27eb3c92b6745ddbdf31869a01dae53fa3d3

Download Submit
\Windows\SysWOW64\Ejgcdb32.exe

Filesize
340KB

MD5
61c928f6e0fc2f97e4fe385b53a57047

SHA1
184f334b36bf35b3fa62c6f6d73a05dffc8c8ebb

SHA256
907de6c3b2dd9ef460d8db2baf153458c701b29fb3b0bbe0f2d9e5634a544d73

SHA512
ae1a59350fb01abe26175b0d121f383964d76e73e7df1e885107b6bb623c4f2fef05587ede62e17bd7bd28b08015d16a7830a6c8f4e05f9bef569f7b6723d052

Download Submit
\Windows\SysWOW64\Emhlfmgj.exe

Filesize
340KB

MD5
e7711e3c2db2a8acbb710b36f5453c35

SHA1
da3f3e772dff766d751731b347bcedd5a0d628dc

SHA256
24982e51979879c0ec07dbf83a9ab1b8d95776233387030442c11464cfac7075

SHA512
bc1f4bb7756e964e6f5f35ad25b1f4d81a8432715818bd743c10de7e15c272bff6aff68bd45fc90c1bf71eed3e2ae76d012e31f29c34de464afcb1306e5c8684

Download Submit
\Windows\SysWOW64\Epieghdk.exe

Filesize
340KB

MD5
c3d0db6eace959950e15c5ca8ebc9a8e

SHA1
802e3b091cb087004b444bb92dd034d14c7fc793

SHA256
4ccf1c863753ea2ea7f333bc859229b03dafa49975c02e7af765581c4978b72f

SHA512
26f53c5828819f7d9444b87211dcbed97f9b2b5934bc56f0dd35676e771732f0d1b576d1656bf2fbfed8c4c1538898bcfeb80c79c89ec8ad99d4c7eb91d1186a

Download Submit
\Windows\SysWOW64\Fdoclk32.exe

Filesize
340KB

MD5
5b7da5067097be5585f082628d20624e

SHA1
3936f993b0f23491f99b1e6713c66602daccde12

SHA256
9eb79461922a494fae928fe0c9c3d9ee1d47b8fca1f288128aa249aae9f63720

SHA512
6bd4361e7904b41677940005a257c7aead4b2a2126c614ae7eb929132a35340c0f105c058551bedff7a81d9b03062f6e2e347b22a477a262130e03886d530018

Download Submit
\Windows\SysWOW64\Fmcoja32.exe

Filesize
340KB

MD5
08130ede14ad7cabaf2ddab4283fd344

SHA1
2dccef792a95b33afdb4f5eb5f85742688ce6752

SHA256
4429aabc93508d70e0cf7eba68270b732dbade0c1e261afedd932a06d9ea7dcf

SHA512
ceb1b1dea12b3dd2e279d0c68d1ff3c37897d542423275e3ac81d6e65481ef15d7e03c9a8bf4d2e92a65f11a9d8d58757bf789b3405e986b7549c715fce159f0

Download Submit
\Windows\SysWOW64\Fnbkddem.exe

Filesize
340KB

MD5
f4d883b775101c3bddaeb30d7da5a753

SHA1
e216a495612ebffa88e212e60dd0010e4e2248bb

SHA256
e372ab61e5a056b1adb00cb45d92459a1c7315b30ecc3743a158e5a142c510e8

SHA512
619f239fb79947076ee5f5405dd44b96fb668e8fb2c0f3a8a58bb609d749a1bf63f31c8e46945073c2e7924537c435f0a720d3b903f740c4b3320b827c99a695

Download Submit
memory/576-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/576-261-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/576-262-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/596-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/596-188-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/820-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/920-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/920-290-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/920-291-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1104-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-248-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1208-327-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1208-326-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1208-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1256-283-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1256-282-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1256-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1260-470-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1260-469-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1260-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-312-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1316-313-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1508-226-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1508-227-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1508-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-341-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1592-340-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1592-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-429-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1648-428-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1716-269-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/1716-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-216-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1784-203-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-157-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1824-25-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1824-26-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2064-13-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2064-6-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2064-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-202-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2224-474-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-447-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2232-448-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2288-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-305-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2288-304-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2320-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-463-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2396-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-464-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2464-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-80-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/2484-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2484-404-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2484-403-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2508-324-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/2508-323-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/2508-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-364-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2560-363-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2560-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-49-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2580-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-440-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2628-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-436-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2656-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-385-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/2656-386-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/2684-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2684-370-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2684-371-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2700-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-129-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2724-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2756-393-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2756-392-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2756-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2804-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-241-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/2820-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-237-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/3048-352-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/3048-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-353-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/3052-415-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3052-414-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3052-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads