0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
Size

94KB
MD5

7cd2d6ccbc9d06a600d1f9c653d6ec40
SHA1

ec5ba5fc7e8c62385f7fddf6944fc27bf6eddfe2
SHA256

0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b
SHA512

9750d33045420cedbdeebfcc4d5ed116decfa0ae41d718f6896cdc3392d34426d993edbb76a6b2b1a215108b1a958d537afde20467418ea9a65c1fe390bff92b
SSDEEP

1536:PoPDgffrWOtvGmLqEpwrPJ4+2L4YaIZTJ+7LhkiB0MPiKeEAgv:PUqf6OtvGIGJ4DHaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe

Executes dropped EXE 39 IoCs

pid	Process
2108	Fbdqmghm.exe
2672	Fmjejphb.exe
2572	Fphafl32.exe
2548	Feeiob32.exe
2444	Fmlapp32.exe
3024	Gonnhhln.exe
1692	Gegfdb32.exe
320	Glaoalkh.exe
2312	Gbkgnfbd.exe
2388	Gieojq32.exe
1752	Gldkfl32.exe
1428	Gaqcoc32.exe
844	Gdopkn32.exe
2708	Goddhg32.exe
2772	Gacpdbej.exe
1788	Ghmiam32.exe
1992	Gogangdc.exe
1568	Gaemjbcg.exe
860	Ghoegl32.exe
968	Hmlnoc32.exe
2224	Hahjpbad.exe
2788	Hkpnhgge.exe
2068	Hicodd32.exe
1380	Hdhbam32.exe
1440	Hggomh32.exe
2756	Hejoiedd.exe
2460	Hiekid32.exe
2488	Hpocfncj.exe
3012	Hellne32.exe
1744	Hlfdkoin.exe
2016	Hlfdkoin.exe
1516	Hodpgjha.exe
108	Hlhaqogk.exe
468	Ieqeidnl.exe
1688	Idceea32.exe
484	Ihoafpmp.exe
2612	Iknnbklc.exe
848	Ioijbj32.exe
2600	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2836	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
2836	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
2108	Fbdqmghm.exe
2108	Fbdqmghm.exe
2672	Fmjejphb.exe
2672	Fmjejphb.exe
2572	Fphafl32.exe
2572	Fphafl32.exe
2548	Feeiob32.exe
2548	Feeiob32.exe
2444	Fmlapp32.exe
2444	Fmlapp32.exe
3024	Gonnhhln.exe
3024	Gonnhhln.exe
1692	Gegfdb32.exe
1692	Gegfdb32.exe
320	Glaoalkh.exe
320	Glaoalkh.exe
2312	Gbkgnfbd.exe
2312	Gbkgnfbd.exe
2388	Gieojq32.exe
2388	Gieojq32.exe
1752	Gldkfl32.exe
1752	Gldkfl32.exe
1428	Gaqcoc32.exe
1428	Gaqcoc32.exe
844	Gdopkn32.exe
844	Gdopkn32.exe
2708	Goddhg32.exe
2708	Goddhg32.exe
2772	Gacpdbej.exe
2772	Gacpdbej.exe
1788	Ghmiam32.exe
1788	Ghmiam32.exe
1992	Gogangdc.exe
1992	Gogangdc.exe
1568	Gaemjbcg.exe
1568	Gaemjbcg.exe
860	Ghoegl32.exe
860	Ghoegl32.exe
968	Hmlnoc32.exe
968	Hmlnoc32.exe
2224	Hahjpbad.exe
2224	Hahjpbad.exe
2788	Hkpnhgge.exe
2788	Hkpnhgge.exe
2068	Hicodd32.exe
2068	Hicodd32.exe
1380	Hdhbam32.exe
1380	Hdhbam32.exe
1440	Hggomh32.exe
1440	Hggomh32.exe
2756	Hejoiedd.exe
2756	Hejoiedd.exe
2460	Hiekid32.exe
2460	Hiekid32.exe
2488	Hpocfncj.exe
2488	Hpocfncj.exe
3012	Hellne32.exe
3012	Hellne32.exe
1744	Hlfdkoin.exe
1744	Hlfdkoin.exe
2016	Hlfdkoin.exe
2016	Hlfdkoin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Fmjejphb.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Fphafl32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Oiogaqdb.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hejoiedd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1660	2600	WerFault.exe	66

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gegfdb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2108	2836	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe	28
PID 2836 wrote to memory of 2108	2836	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe	28
PID 2836 wrote to memory of 2108	2836	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe	28
PID 2836 wrote to memory of 2108	2836	0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe	28
PID 2108 wrote to memory of 2672	2108	Fbdqmghm.exe	29
PID 2108 wrote to memory of 2672	2108	Fbdqmghm.exe	29
PID 2108 wrote to memory of 2672	2108	Fbdqmghm.exe	29
PID 2108 wrote to memory of 2672	2108	Fbdqmghm.exe	29
PID 2672 wrote to memory of 2572	2672	Fmjejphb.exe	30
PID 2672 wrote to memory of 2572	2672	Fmjejphb.exe	30
PID 2672 wrote to memory of 2572	2672	Fmjejphb.exe	30
PID 2672 wrote to memory of 2572	2672	Fmjejphb.exe	30
PID 2572 wrote to memory of 2548	2572	Fphafl32.exe	31
PID 2572 wrote to memory of 2548	2572	Fphafl32.exe	31
PID 2572 wrote to memory of 2548	2572	Fphafl32.exe	31
PID 2572 wrote to memory of 2548	2572	Fphafl32.exe	31
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2548 wrote to memory of 2444	2548	Feeiob32.exe	32
PID 2444 wrote to memory of 3024	2444	Fmlapp32.exe	33
PID 2444 wrote to memory of 3024	2444	Fmlapp32.exe	33
PID 2444 wrote to memory of 3024	2444	Fmlapp32.exe	33
PID 2444 wrote to memory of 3024	2444	Fmlapp32.exe	33
PID 3024 wrote to memory of 1692	3024	Gonnhhln.exe	34
PID 3024 wrote to memory of 1692	3024	Gonnhhln.exe	34
PID 3024 wrote to memory of 1692	3024	Gonnhhln.exe	34
PID 3024 wrote to memory of 1692	3024	Gonnhhln.exe	34
PID 1692 wrote to memory of 320	1692	Gegfdb32.exe	35
PID 1692 wrote to memory of 320	1692	Gegfdb32.exe	35
PID 1692 wrote to memory of 320	1692	Gegfdb32.exe	35
PID 1692 wrote to memory of 320	1692	Gegfdb32.exe	35
PID 320 wrote to memory of 2312	320	Glaoalkh.exe	36
PID 320 wrote to memory of 2312	320	Glaoalkh.exe	36
PID 320 wrote to memory of 2312	320	Glaoalkh.exe	36
PID 320 wrote to memory of 2312	320	Glaoalkh.exe	36
PID 2312 wrote to memory of 2388	2312	Gbkgnfbd.exe	37
PID 2312 wrote to memory of 2388	2312	Gbkgnfbd.exe	37
PID 2312 wrote to memory of 2388	2312	Gbkgnfbd.exe	37
PID 2312 wrote to memory of 2388	2312	Gbkgnfbd.exe	37
PID 2388 wrote to memory of 1752	2388	Gieojq32.exe	38
PID 2388 wrote to memory of 1752	2388	Gieojq32.exe	38
PID 2388 wrote to memory of 1752	2388	Gieojq32.exe	38
PID 2388 wrote to memory of 1752	2388	Gieojq32.exe	38
PID 1752 wrote to memory of 1428	1752	Gldkfl32.exe	39
PID 1752 wrote to memory of 1428	1752	Gldkfl32.exe	39
PID 1752 wrote to memory of 1428	1752	Gldkfl32.exe	39
PID 1752 wrote to memory of 1428	1752	Gldkfl32.exe	39
PID 1428 wrote to memory of 844	1428	Gaqcoc32.exe	40
PID 1428 wrote to memory of 844	1428	Gaqcoc32.exe	40
PID 1428 wrote to memory of 844	1428	Gaqcoc32.exe	40
PID 1428 wrote to memory of 844	1428	Gaqcoc32.exe	40
PID 844 wrote to memory of 2708	844	Gdopkn32.exe	41
PID 844 wrote to memory of 2708	844	Gdopkn32.exe	41
PID 844 wrote to memory of 2708	844	Gdopkn32.exe	41
PID 844 wrote to memory of 2708	844	Gdopkn32.exe	41
PID 2708 wrote to memory of 2772	2708	Goddhg32.exe	42
PID 2708 wrote to memory of 2772	2708	Goddhg32.exe	42
PID 2708 wrote to memory of 2772	2708	Goddhg32.exe	42
PID 2708 wrote to memory of 2772	2708	Goddhg32.exe	42
PID 2772 wrote to memory of 1788	2772	Gacpdbej.exe	43
PID 2772 wrote to memory of 1788	2772	Gacpdbej.exe	43
PID 2772 wrote to memory of 1788	2772	Gacpdbej.exe	43
PID 2772 wrote to memory of 1788	2772	Gacpdbej.exe	43

C:\Users\Admin\AppData\Local\Temp\0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0adf0c36d49818da1d2b26c03264164ac72cdc798b9dec2bbb623d2525f9538b_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\Fbdqmghm.exe
  C:\Windows\system32\Fbdqmghm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\Fmjejphb.exe
    C:\Windows\system32\Fmjejphb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Fphafl32.exe
      C:\Windows\system32\Fphafl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:108
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        40⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 140
        41⤵
        Program crash
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
94KB

MD5
65436c4163507770485a771ce5b09e8c

SHA1
2dd3359302c1a6b988b4a1cf6d114ae98e6bdb8a

SHA256
867525c32706528cbd766bb114b5ea97f12eb6c0c0412d891de26fbb76030072

SHA512
8434c99dd4e602e5a0c96b47329d86fb92f87c846977eb5e5644066f1677ca39727728c603c17fec3a384f037e0956aea8265a76d0f46d7d1ea8a3b005d1a3e6

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
94KB

MD5
b53afc01e951ad78f3e27bc5d594dcf2

SHA1
8a2c5ef5cb0efcb99229cbd8caa1a9969310d348

SHA256
e657f41b44f3ce95042a182d15fbd196c6f469a7f830fc55b0ea5134d6648733

SHA512
1fffe860bc88b0c1cfd79c8f216e58b96fafc509c9641f622989260b9451d2a91167188a91797cfda3912b9ffb01fb2313ad28f867b9b5049aebb8b086fc2370

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
94KB

MD5
802c43828d825092f58fdd7655d46172

SHA1
880edd0690e2fc985c74afc6224291b8d31d2e6a

SHA256
f1d3c73ea1f8f3c3c1c28ea20d47b288fa67851fa563f539c59b86da40cc3aac

SHA512
3e9c376dd3239dd5b38d3dbb92acadf6aca609ecdfd5157c420399232627522663bfe4cb312d0537a375797be2e7cb736103648f0d5ea0fa4d0ba525011270df

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
94KB

MD5
0f2e1c89661632cd1f6d6f08650745b9

SHA1
1ba00397be12322b7b7eba88d5013de99ec5e0a3

SHA256
d78151ec9e885f4e3f4370365851779d760357b565f512cb645a2716e18bcbfb

SHA512
dc4f701d86224e4830624bc1c44c81c6086269115973505ab6c65e993627b54fe68a0b50de777468319128edd8ed40d1e0758c678de9584ab3daa80f14a5f8fe

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
94KB

MD5
375ad2dd0030acde59f6a08ea94e33bb

SHA1
d284f283bfe2018d4183fa179a6aa79fad378833

SHA256
8a97ce8286bff90b37e20e7a7266cf2b4a947fe533a9c423c2406cabfc9b1bc2

SHA512
76e62c87847b8105f5157a19a94d27b505d2545fa24e463cc886a7c955f46113837aa8393b2246809d47e3041f74604a339bdb90475772b82f9786a5de6ebde9

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
94KB

MD5
e3b8fe302f40c2cd228594004e8d0249

SHA1
c970f0d75919faeb88332bb8487c94f44793e352

SHA256
1badb358ff3fde3ad2357d5ee0257c503a42bec5705a6782d18c260de5f3ff23

SHA512
1544682b7471388ec1d0a1a9a2d2d4467d607c868007b7205e398b2901a9f0f219c3b60323d756438feefa87799969dcf981e8b1144219084d634a667ca2280a

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
94KB

MD5
a2c7d476d1cc9b8d13ec4b4bfa763cf1

SHA1
45393e53116f9c20c4ca505b2bedc14aba8943f4

SHA256
5d8782f16d16f591db65ee46a5a83e9a6567aeea15220871b5a65d49c52e88ec

SHA512
a26cd9d5f19803fc50cb86b8d9ebc0ab1b43cd9a210608b6a652465d81ad210471b5a535b8fddc3aa0916ed44e52acaa0dcd4d735dcc53a3b5d2f912850ee066

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
94KB

MD5
0897a3b3552acac7e16ca3f060a6136a

SHA1
2e4fe4c057ead4faec12624e636cae6ef344e4a4

SHA256
f24dc55bd3721b3f3b49e8c82cdb492822f602fe84c7c1f30b5f9870a0f9c954

SHA512
6cd041cb3d8b72f73d86f2d6c808cc0f5105e4340530595092d6473a30f0c5700b0be27e66698456c6182271211b57779cdb39f6eea994b5619c131c2347cecc

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
94KB

MD5
a59e29ab634156ba9107b8439dcea8c8

SHA1
2d831badbc6eb9412dd5981462090347aaef7a84

SHA256
3d8517403d7f7d472e18d0ac9590ec338fa728ad06f4bcac0fc8e8d36b3982eb

SHA512
82ed7b9143ba0f09a315f78037fba4b08df862cd79df28e858626ea89daaae90f3072c6d29f2aeeec7f25c5cd5c18f21dbdfbde22ed4480a6383ea47f0c9a3b3

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
94KB

MD5
802381ecb1c10d4632760f10a889c686

SHA1
5f34c58f11fed1808fdee46af9f01a4f64102040

SHA256
886b40f6995670aa4b28d10565ad14804aee6dcd84a5cffb091f306de7589297

SHA512
06aa71d5ae14c8706f8d7a3419c76f846a12a8131d258837b1f41a7daeae0d218cc93577a3628f419c95d0097a8f65703454c4c97a7a28da0eb77d871c1d5f2c

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
94KB

MD5
f3f437c83388cb5360d49e12baa4e0f3

SHA1
15c503b268413608c5aea1b5e750a81cb80b37ad

SHA256
db307188c7321a6de78f9b7e70f8ce819660171298943c002559b335c74b270f

SHA512
5cce4f9c1018d306dc5d8152a3525586dd992620618616120aa84f3bc57deeea6d46fc8730ebc6ce2c32d3230dd38bb05027a06da70752de357b265743cf8926

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
94KB

MD5
e94dcd63d7af1faea8ec01e199b0dc5e

SHA1
23f997b45192018df6b29e7bca253d9cb7d20362

SHA256
33f72170bf71c3a88b81868cf4495a6aa682310fddbf5333237d4fb8d30bf49d

SHA512
eac4f25789e7c825e88172f1213ee46bee525fb7f52a40ac325de7cfb3a029486948fcbefbcb5e833ea7308859a39edf8328b820ba278e55d8b7a52b5613b6a6

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
94KB

MD5
5d9fbc281f9a365d28e0817be95f0cd5

SHA1
a37bf657eb965fc8883d120cc79bbb740881d8ec

SHA256
493cd94b41d087e785e0ba9cf253474448a0c1d058936298e1e9460cfb8eb751

SHA512
e399e8f6f6583f14a726abef433e57be14d21fc695ad3d3083f4b74f5945173b1bef3d4faf6fc48838a3ef904b323cc073021e2890d4821042bd42d432e6ebd1

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
94KB

MD5
fd52de6d86ca819016651b233a038be9

SHA1
f2ce0e9011eb2a198a500f923fa5251daadc6b8c

SHA256
bf75dc1c19f5199c622d1608d86203a6df24447bccee2d4f5b8265a511f40056

SHA512
2f5cd292001682f0e4bed11f10580fcc7fc2091a556c00fbf70e241a3d767a2ca86a647bceafca4cf0ad2bde500372bd60dc1a29bdfdcce8391bed21cb30e2e7

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
94KB

MD5
9e7272e39415e21cbbf46226d7e36941

SHA1
58f953d2519c19fd1a700394d21a330dafc19cab

SHA256
1163517f96e2fef2062f820485b96bd859f6db2add97faf1625e92591d245956

SHA512
28a2def10e0b38036fb726975ae081ae3c81bc0bb5c32815479b75e60b8d0b7bbd145e7a25370ddaabb19f82f5a2e7c691a55a2f6748a57246f3346db346f4d9

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
94KB

MD5
e27fcd4bad0545ec7862724d9c07a32d

SHA1
b9ed0be8910cde4469b3e19d9c78e7df31d545f4

SHA256
b7437d2f663fe7b4f30d88201536ef661bb5a4161706d860c7b9a24ea9b25f84

SHA512
6640b32620bb084346b3b68709c5e96629e8337f315ab0e866ad0a58dcee65145807bd66db0f0c35cd3753234d38f0da738eeb3cd58b8993ba61a524333f0582

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
94KB

MD5
9a71de1ef0e2fb2c5a2d182136e201ab

SHA1
ac82a03dd7a6bfd74306f1be6d015ad2f8e67f7d

SHA256
b1b0a3e85f253e7e38b6b7e3ad2475df73090c538104761da554ebc6fbe21b05

SHA512
95d926624db6d03d27c86e4d96d778ff200ca8c20593c10b09c4be2959fa336d4febbc09d83d6851a8c1de5a8101339b989616f852935b95e1ebb5adabaacc9e

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
94KB

MD5
ba594138072b0729f3da03f9f158757b

SHA1
4ffd775a8080d6b97f9ebb203d1bddaa69524dd9

SHA256
9b786543f1cc73e5f4bde7af6e64b043e2661fa2f79a48076a2f09152e80b52b

SHA512
ea2db01ef09713d795ab011a28cf6ab1ad2267eeffd4e794b5d0041d9d9c5762762f2c59b0aaadca2dc2613ec731181f2d8ca8de358ae88bd1b0fb249f54cf3d

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
94KB

MD5
2756e37c6ca61dfd335a837b45f0ac52

SHA1
bd78fa2a96da4bc79a09436b640715416b49dd9f

SHA256
201743b791a209d2de09779278147749c1fcdae43493cee2ac1b331e6dd0ee1c

SHA512
69405fa822fe33970e7fa270d1223cb066c3744879cdbabf4da44f96854dcc6f3bc4afa90795de45ff475ace337d877b906ce8c842099858e9c9b99c8549a761

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
94KB

MD5
88e023c8208c231cb0cab8044f5521ab

SHA1
614e111d7083cf193c77553cbc4b950a10e45c90

SHA256
75e8b1f65bfdc05044a19e4be28a37a11af571a3889232a9dfd776f30b0ab560

SHA512
612b7c92b634670bdf56e8c791b0101122a833280840b9af8f48f3da6ae518f72b5a6566d0282a8626077d5a50e9683db06ea7eb6b9790a2b25f0bdba39db4be

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
94KB

MD5
278e4b2757a56fd9f2bc62bd0ed49ccc

SHA1
7560cdc3248cf47f792d63fefe6215e1d8fbf04a

SHA256
1cf69924acd4791234d1f7ecd0be2e5d18406c36861f07ff68a3569425c04ea6

SHA512
501af0ed7b0eadbc48dc6698c163543b9afa9ae207e8c7baa52c6fe16528edb28947d0f4eb0d84007e1d26de6f6c106824787bb1490dffb118ddaf08d0a7df77

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
94KB

MD5
4341938630628b19b5fc43ebf9a8f13a

SHA1
ed6657bbe273363d146b733099e0a14d143a091c

SHA256
0c3f85107814a522ded98a6996c44884b1121d2e40cc7171853a5fedb674eacc

SHA512
6bd0ce4a754ad7360a1aec0afd33ae514b77cf5497709465f9aa03a1807ddf3234a2cf8c90aba624c1972542cd60e47ac2f80349d7b91dc88d3f4161036aecfb

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
94KB

MD5
99f4b8c44f4d8aca06b5744c47afa0f2

SHA1
639e3f2f89d3450a85b2e0c40e0f0689ce827424

SHA256
741c8c09b8a5b1afc152754b32c02d1b19f60be33b7a2ab78268a00ecabf7363

SHA512
6288699da593535456dfafd0c191adba029035d56da01b55eb347eadc55d74e5e91e9f160f98715a24ce3a8541d24caa0fee9dc463471ba86ea7f9cf370d5843

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
94KB

MD5
5a44c0726d24cb27fb79f77411e4c8c3

SHA1
28c0df828639967ac1eae5a2b39f13e1d4f47275

SHA256
021c89c2c2108e554c9168770e325bfb976229de88ae4313a86bd99c8d208223

SHA512
2cae22fd361cc15fdb349e23b54f126b157af8ddfcf6f3309bf555ebc9775f8d1f9df7e7988b62b614aff4f6cecf8c990143a70cc5eee283a7e7d6d32cc5c77c

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe

Filesize
94KB

MD5
5d326abc88acc872d181378f2ed05dc2

SHA1
756779f9a483402cc72cf144db16cff071721ce1

SHA256
9c1ab3995e33417baa8c29311d30138180a2a03d57d8234cef556845a0787529

SHA512
08f294937b1dfc97bbed7ac4f3a43c254d379cc50457ed8c3aea1c4f308a0c8aadc1f78a5ed13df74dce861e3fd8705bde11c3d9fe72dbc470f557b99efcac96

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
94KB

MD5
61fb8d352e30206d4739161659e8b1fa

SHA1
c6fab20e89615aa4a14179b5582b8e29eee3c68f

SHA256
9fd842edfff66879fce2b6f8925d68abf0b720e262baddaf37715dc2d09a7a32

SHA512
709db1cdb7f37d2ed80b7b9fe14c314b672a097f758b464c23e0e54ba12460a772e105cc98c70e099a1f0811e621b311aef46468df09779f9e7f56cd91ea25e0

Download Submit
\Windows\SysWOW64\Fmjejphb.exe

Filesize
94KB

MD5
17db4a9d11f45050758dd6eb471b7153

SHA1
8b45fe5aa2d8ca72d8ffa6905bda5365d3ff5c7c

SHA256
512d69869567eab7856c044246384f7b516bd6e8fc08a5c4a4a9ed88f5935d12

SHA512
e99c49457e9c1810530a3822d82ad98ccd1a2f41b946347a3cb535638ad0acbba5e8fd2fb6048ac1bda81829e029fa17b923346142cab65e76f87e7aea953df5

Download Submit
\Windows\SysWOW64\Fphafl32.exe

Filesize
94KB

MD5
41b27a0d1db6cd95805ea5c014d2655e

SHA1
7cb1758287ce1fc1d0f556bcf87f7d09d3cf37ed

SHA256
5cb98a23320fc183ea8ba8024731d64c6d7446dae9b8292174daab00b4594c44

SHA512
272ead30b6929124580558481493ec466932c8e8380f7c457c173bc1e8213c1f148747ff1ca1c6714d1827d4618d94f3ad2354bcba27ec2f1435b27f40f3a343

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
94KB

MD5
c126304c947a697d00142d4293e53352

SHA1
84d446b3353914a3806e1c7876783434e1285ecc

SHA256
49af283e5631b020de37cc105751159faf9013b448ba86fb95d959401e367d0c

SHA512
679b1c79c9abffacf2a6e1b2ebef18751c293cc3ba1f6aeb2680da79155b9eb15495998acfc6a3880f70392ef0ac93de941da31934184da1c908047e796ba78f

Download Submit
\Windows\SysWOW64\Gaqcoc32.exe

Filesize
94KB

MD5
8753453a2d417b0f90e3796fe6b154f1

SHA1
822443d0f7e7d44711aef1ea3fa63c875087d585

SHA256
b70f2a129655dee316d25d261056a69664e170f0fac70a981371ea4aae90f1a7

SHA512
f4cc702325a7015c64e241dd8d8ba5b3f6273d352b9b1d1db2f396f42d080b254f5e5bdad48eab0437fabb52556a7b96594c0a572042211b727f3efbc6535eec

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
94KB

MD5
87d233f0fb0507a865aa33c932c8db71

SHA1
49c491f4e907eb7cca3ad8934a397463e6982f30

SHA256
8bfb88853d2bfb47c7c076146b336f5045b305ce9e6b5edbcbab901aa34d55c7

SHA512
db48cd26d979442e10754312910ad34b765a75f70c4a450bbba7eb1d537ec388a4e966a742c024070ae723196c7976a6aa53046bcbe81352e2275d5821a059b3

Download Submit
\Windows\SysWOW64\Gdopkn32.exe

Filesize
94KB

MD5
e3986e6496bd96c5dd8704f4ed75c01f

SHA1
840a787303abc50c9a00fe2ecb0b0ed8c26a969c

SHA256
7e3923d0c50b0ee790d4035fae8f0d6b699b675d690640254e8633032632ebc9

SHA512
51927c77d5e0ab51952325cb85247ad0959c02924865174c021444ce97fbcb488257b067b53635cee330bd9070675954e541b21fe02af61621141cbee4cb4dc4

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
94KB

MD5
07a517aa3860319be5ad167869420c49

SHA1
cfb602968844cf662441eca61036024cc714e22d

SHA256
93d26828d3727dccefb3a4742a907f9d9f99bf419f71d44c5ff158ee4a3569b9

SHA512
535d4129ca8b156f4027aa16a38cbe3531fdd36ae953645896c4fa28d45db1f8fefb3fa4307c8b06a5551ad10207804e70fdb4b2829bcb97aea0ccfbabeb9102

Download Submit
\Windows\SysWOW64\Ghmiam32.exe

Filesize
94KB

MD5
ab148cf7e446a29e99d97182630dd3eb

SHA1
49dc499535622d1c5d2d76b44a6c18cb23af7ae1

SHA256
23a77dc6c957b5efce7489b8fc004d2ddffe4763363f1a6b885c14a561ab24ee

SHA512
eef7aad79e7095f52fc10192dba938beec504a058e7dd51a9683e22462291dbbf6b4cf763064c459e36dc629fc914ce23fb048996e48ba9e5c47d929efa93ef7

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
94KB

MD5
cc2f41276818b59f569dbee0a865beb4

SHA1
4f2b5b3edf2bf7db5f82d81a24db350daaa6e83c

SHA256
98129d653575f2ad0c7bb095e71cc490de82236396fd7c932302501c22e7cd75

SHA512
045d63e2db6197975f56a593c86ec590c4a74dce4e8aff21668c5939b7e3860b5f93f3083ec60b20170321dbd76cf7eaae763b47e0453aa756c83582c3be1f96

Download Submit
\Windows\SysWOW64\Glaoalkh.exe

Filesize
94KB

MD5
017d59679fc00a6fbd70eaf7abd9c813

SHA1
a720a1ef1d4cc9200e0fa34fed90d6ecf3af9dd3

SHA256
17721c53d1a9be315c7423d183450f220465e4ebf02fd02d6aef83cf4fa6815c

SHA512
d75024b7aa8c0547c7053686faf37e73b2c616903e34f470d0986e7264456c219e124ff0603f47cf342015e9608109f27ef034f0b10d33754df4d7fb73577a37

Download Submit
\Windows\SysWOW64\Goddhg32.exe

Filesize
94KB

MD5
b793806f5a04481b1661b95aa3d858c7

SHA1
54d225f710ef2fcbd0cc3462f428957ff0847326

SHA256
8227e13ea918efb7498050bd0e4ff8b3487ebe5da3b58ed8ebd3115b4c9880d6

SHA512
95df19c396045dc2ec05537eaeafe5b083463c47fcc517785b0e87909132f6627fb660425e2b96edf6394b3efc4a985f0c9ed53eee224a97d11b6ed4bbda5ad4

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
94KB

MD5
335257e6a1f027976b6a1e89f5f66089

SHA1
a575c52862518524e000045ff65a77e006cf4eed

SHA256
8737cbf9260f63ba44603d47410020ee5b9fb1d5b17562ba75d8f6731b5250e4

SHA512
d67ff977e7e5db83553774b16d15051ed4c6e5926f1699832b45a19e28125b9314d4dfd2a1e1808d532501af2e34dfab5d2c2f4734143a110851d25a0ead0893

Download Submit
memory/108-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/320-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/320-221-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/468-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-272-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/844-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-271-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/844-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/860-330-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/860-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/860-329-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/860-283-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/968-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-331-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/1380-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-387-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/1428-180-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1428-179-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1428-254-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1428-257-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1428-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-260-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/1688-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-107-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/1692-183-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/1692-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-177-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/1752-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-238-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1992-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-399-0x0000000000320000-0x000000000035C000-memory.dmp

Filesize
240KB

Download
memory/2068-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-317-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2068-318-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2068-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-382-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2108-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2108-30-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2224-296-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2224-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-361-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2312-144-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2312-232-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2312-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-152-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2388-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-248-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2444-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-74-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2460-406-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2460-362-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2460-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2460-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-413-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2488-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-51-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2572-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2672-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-285-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2708-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-210-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2708-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-351-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2756-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-400-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2756-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-224-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2772-211-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-286-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2788-307-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2788-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2836-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2836-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2836-6-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3012-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-383-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3024-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads