66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
Size

243KB
MD5

f7692dae821dbfb1fb83816147dba0d0
SHA1

147ef68fc2bb4598c53ee54b7ea3622f915a001e
SHA256

66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26
SHA512

c634367613d712909a9ebe6cc7b15af2e26131fb1379055dd39e06b348c2cb5a7cc84a3e724b75414cf347c79a1736e678742d6bfa505a77bdf5df02835caa9c
SSDEEP

3072:mzXuxdoUUsuKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:VxdTUsuKzwdlU2zlNgwTnAWtlhjQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjgal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djnpnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cljcelan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiaiqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Comimg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cljcelan.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Comimg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdjbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnpnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djbiicon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphlljge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqelenlc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqelenlc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfdgiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djbiicon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhjgal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfijnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphlljge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe

Executes dropped EXE 37 IoCs

pid	Process
1988	Cljcelan.exe
2540	Cphlljge.exe
2676	Comimg32.exe
1236	Ckdjbh32.exe
2812	Chhjkl32.exe
2440	Dhjgal32.exe
2496	Dqelenlc.exe
2820	Djnpnc32.exe
2984	Dcfdgiid.exe
2756	Djbiicon.exe
1512	Dfijnd32.exe
1928	Ejgcdb32.exe
2788	Eeqdep32.exe
2644	Enihne32.exe
2864	Eiaiqn32.exe
1460	Fjdbnf32.exe
1824	Fmcoja32.exe
2148	Fpdhklkl.exe
1312	Fpfdalii.exe
1940	Fbdqmghm.exe
1876	Ffbicfoc.exe
1740	Gpknlk32.exe
2888	Gegfdb32.exe
1580	Gejcjbah.exe
1752	Gaqcoc32.exe
2232	Glfhll32.exe
1992	Geolea32.exe
3040	Ggpimica.exe
2552	Hmlnoc32.exe
2452	Hlakpp32.exe
2844	Hdhbam32.exe
2700	Hlcgeo32.exe
2476	Hjhhocjj.exe
2508	Hodpgjha.exe
2968	Hlhaqogk.exe
3000	Ihoafpmp.exe
1592	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
1652	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
1652	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
1988	Cljcelan.exe
1988	Cljcelan.exe
2540	Cphlljge.exe
2540	Cphlljge.exe
2676	Comimg32.exe
2676	Comimg32.exe
1236	Ckdjbh32.exe
1236	Ckdjbh32.exe
2812	Chhjkl32.exe
2812	Chhjkl32.exe
2440	Dhjgal32.exe
2440	Dhjgal32.exe
2496	Dqelenlc.exe
2496	Dqelenlc.exe
2820	Djnpnc32.exe
2820	Djnpnc32.exe
2984	Dcfdgiid.exe
2984	Dcfdgiid.exe
2756	Djbiicon.exe
2756	Djbiicon.exe
1512	Dfijnd32.exe
1512	Dfijnd32.exe
1928	Ejgcdb32.exe
1928	Ejgcdb32.exe
2788	Eeqdep32.exe
2788	Eeqdep32.exe
2644	Enihne32.exe
2644	Enihne32.exe
2864	Eiaiqn32.exe
2864	Eiaiqn32.exe
1460	Fjdbnf32.exe
1460	Fjdbnf32.exe
1824	Fmcoja32.exe
1824	Fmcoja32.exe
2148	Fpdhklkl.exe
2148	Fpdhklkl.exe
1312	Fpfdalii.exe
1312	Fpfdalii.exe
1940	Fbdqmghm.exe
1940	Fbdqmghm.exe
1876	Ffbicfoc.exe
1876	Ffbicfoc.exe
1740	Gpknlk32.exe
1740	Gpknlk32.exe
2888	Gegfdb32.exe
2888	Gegfdb32.exe
1580	Gejcjbah.exe
1580	Gejcjbah.exe
1752	Gaqcoc32.exe
1752	Gaqcoc32.exe
2232	Glfhll32.exe
2232	Glfhll32.exe
1992	Geolea32.exe
1992	Geolea32.exe
3040	Ggpimica.exe
3040	Ggpimica.exe
2552	Hmlnoc32.exe
2552	Hmlnoc32.exe
2452	Hlakpp32.exe
2452	Hlakpp32.exe
2844	Hdhbam32.exe
2844	Hdhbam32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gejcjbah.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Bibckiab.dll	Enihne32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Fpfdalii.exe	Fpdhklkl.exe
File opened for modification	C:\Windows\SysWOW64\Djnpnc32.exe	Dqelenlc.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Fgdqfpma.dll	Cljcelan.exe
File created	C:\Windows\SysWOW64\Djnpnc32.exe	Dqelenlc.exe
File opened for modification	C:\Windows\SysWOW64\Fjdbnf32.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Dchfknpg.dll	Eiaiqn32.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Cphlljge.exe	Cljcelan.exe
File created	C:\Windows\SysWOW64\Eeqdep32.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Clphjpmh.dll	Fpfdalii.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Njqaac32.dll	Dfijnd32.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Fglhobmg.dll	Dhjgal32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Dcfdgiid.exe	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Dfijnd32.exe	Djbiicon.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Dqelenlc.exe	Dhjgal32.exe
File opened for modification	C:\Windows\SysWOW64\Eeqdep32.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Dhjgal32.exe	Chhjkl32.exe
File created	C:\Windows\SysWOW64\Djbiicon.exe	Dcfdgiid.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Ognnoaka.dll	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Fpfdalii.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Eeqdep32.exe
File created	C:\Windows\SysWOW64\Eiaiqn32.exe	Enihne32.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Fkahhbbj.dll	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Keledb32.dll	Ckdjbh32.exe
File opened for modification	C:\Windows\SysWOW64\Dcfdgiid.exe	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Bccnbmal.dll	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Fbdqmghm.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Dlcdphdj.dll	Comimg32.exe
File created	C:\Windows\SysWOW64\Comimg32.exe	Cphlljge.exe
File created	C:\Windows\SysWOW64\Flcnijgi.dll	Dcfdgiid.exe
File created	C:\Windows\SysWOW64\Fjdbnf32.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Cljcelan.exe	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ckdjbh32.exe	Comimg32.exe
File created	C:\Windows\SysWOW64\Dqelenlc.exe	Dhjgal32.exe
File opened for modification	C:\Windows\SysWOW64\Djbiicon.exe	Dcfdgiid.exe
File created	C:\Windows\SysWOW64\Hkfmal32.dll	Cphlljge.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	Fpdhklkl.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Eeqdep32.exe
File opened for modification	C:\Windows\SysWOW64\Comimg32.exe	Cphlljge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1424	1592	WerFault.exe	64

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll"	Cljcelan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cphlljge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djnpnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keledb32.dll"	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll"	Dcfdgiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhjgal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll"	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Comimg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll"	Comimg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdjbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cljcelan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Comimg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djbiicon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfijnd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1988	1652	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe	28
PID 1652 wrote to memory of 1988	1652	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe	28
PID 1652 wrote to memory of 1988	1652	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe	28
PID 1652 wrote to memory of 1988	1652	66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe	28
PID 1988 wrote to memory of 2540	1988	Cljcelan.exe	29
PID 1988 wrote to memory of 2540	1988	Cljcelan.exe	29
PID 1988 wrote to memory of 2540	1988	Cljcelan.exe	29
PID 1988 wrote to memory of 2540	1988	Cljcelan.exe	29
PID 2540 wrote to memory of 2676	2540	Cphlljge.exe	30
PID 2540 wrote to memory of 2676	2540	Cphlljge.exe	30
PID 2540 wrote to memory of 2676	2540	Cphlljge.exe	30
PID 2540 wrote to memory of 2676	2540	Cphlljge.exe	30
PID 2676 wrote to memory of 1236	2676	Comimg32.exe	31
PID 2676 wrote to memory of 1236	2676	Comimg32.exe	31
PID 2676 wrote to memory of 1236	2676	Comimg32.exe	31
PID 2676 wrote to memory of 1236	2676	Comimg32.exe	31
PID 1236 wrote to memory of 2812	1236	Ckdjbh32.exe	32
PID 1236 wrote to memory of 2812	1236	Ckdjbh32.exe	32
PID 1236 wrote to memory of 2812	1236	Ckdjbh32.exe	32
PID 1236 wrote to memory of 2812	1236	Ckdjbh32.exe	32
PID 2812 wrote to memory of 2440	2812	Chhjkl32.exe	33
PID 2812 wrote to memory of 2440	2812	Chhjkl32.exe	33
PID 2812 wrote to memory of 2440	2812	Chhjkl32.exe	33
PID 2812 wrote to memory of 2440	2812	Chhjkl32.exe	33
PID 2440 wrote to memory of 2496	2440	Dhjgal32.exe	34
PID 2440 wrote to memory of 2496	2440	Dhjgal32.exe	34
PID 2440 wrote to memory of 2496	2440	Dhjgal32.exe	34
PID 2440 wrote to memory of 2496	2440	Dhjgal32.exe	34
PID 2496 wrote to memory of 2820	2496	Dqelenlc.exe	35
PID 2496 wrote to memory of 2820	2496	Dqelenlc.exe	35
PID 2496 wrote to memory of 2820	2496	Dqelenlc.exe	35
PID 2496 wrote to memory of 2820	2496	Dqelenlc.exe	35
PID 2820 wrote to memory of 2984	2820	Djnpnc32.exe	36
PID 2820 wrote to memory of 2984	2820	Djnpnc32.exe	36
PID 2820 wrote to memory of 2984	2820	Djnpnc32.exe	36
PID 2820 wrote to memory of 2984	2820	Djnpnc32.exe	36
PID 2984 wrote to memory of 2756	2984	Dcfdgiid.exe	37
PID 2984 wrote to memory of 2756	2984	Dcfdgiid.exe	37
PID 2984 wrote to memory of 2756	2984	Dcfdgiid.exe	37
PID 2984 wrote to memory of 2756	2984	Dcfdgiid.exe	37
PID 2756 wrote to memory of 1512	2756	Djbiicon.exe	38
PID 2756 wrote to memory of 1512	2756	Djbiicon.exe	38
PID 2756 wrote to memory of 1512	2756	Djbiicon.exe	38
PID 2756 wrote to memory of 1512	2756	Djbiicon.exe	38
PID 1512 wrote to memory of 1928	1512	Dfijnd32.exe	39
PID 1512 wrote to memory of 1928	1512	Dfijnd32.exe	39
PID 1512 wrote to memory of 1928	1512	Dfijnd32.exe	39
PID 1512 wrote to memory of 1928	1512	Dfijnd32.exe	39
PID 1928 wrote to memory of 2788	1928	Ejgcdb32.exe	40
PID 1928 wrote to memory of 2788	1928	Ejgcdb32.exe	40
PID 1928 wrote to memory of 2788	1928	Ejgcdb32.exe	40
PID 1928 wrote to memory of 2788	1928	Ejgcdb32.exe	40
PID 2788 wrote to memory of 2644	2788	Eeqdep32.exe	41
PID 2788 wrote to memory of 2644	2788	Eeqdep32.exe	41
PID 2788 wrote to memory of 2644	2788	Eeqdep32.exe	41
PID 2788 wrote to memory of 2644	2788	Eeqdep32.exe	41
PID 2644 wrote to memory of 2864	2644	Enihne32.exe	42
PID 2644 wrote to memory of 2864	2644	Enihne32.exe	42
PID 2644 wrote to memory of 2864	2644	Enihne32.exe	42
PID 2644 wrote to memory of 2864	2644	Enihne32.exe	42
PID 2864 wrote to memory of 1460	2864	Eiaiqn32.exe	43
PID 2864 wrote to memory of 1460	2864	Eiaiqn32.exe	43
PID 2864 wrote to memory of 1460	2864	Eiaiqn32.exe	43
PID 2864 wrote to memory of 1460	2864	Eiaiqn32.exe	43

C:\Users\Admin\AppData\Local\Temp\66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66755ce9873419ec49ac22c029ee2a2a0d8288d3bd6d9fe9ec0631d12abf4e26_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\Cljcelan.exe
  C:\Windows\system32\Cljcelan.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\Cphlljge.exe
    C:\Windows\system32\Cphlljge.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\Comimg32.exe
      C:\Windows\system32\Comimg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Ckdjbh32.exe
        
        C:\Windows\system32\Ckdjbh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\SysWOW64\Chhjkl32.exe
        
        C:\Windows\system32\Chhjkl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Dhjgal32.exe
        
        C:\Windows\system32\Dhjgal32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Dqelenlc.exe
        
        C:\Windows\system32\Dqelenlc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Djnpnc32.exe
        
        C:\Windows\system32\Djnpnc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Dcfdgiid.exe
        
        C:\Windows\system32\Dcfdgiid.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Djbiicon.exe
        
        C:\Windows\system32\Djbiicon.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Dfijnd32.exe
        
        C:\Windows\system32\Dfijnd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Ejgcdb32.exe
        
        C:\Windows\system32\Ejgcdb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Eeqdep32.exe
        
        C:\Windows\system32\Eeqdep32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Eiaiqn32.exe
        
        C:\Windows\system32\Eiaiqn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Fjdbnf32.exe
        
        C:\Windows\system32\Fjdbnf32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Fpdhklkl.exe
        
        C:\Windows\system32\Fpdhklkl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        38⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 140
        39⤵
        Program crash
        
        PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckdjbh32.exe

Filesize
243KB

MD5
7d2d2a04f2868fb1f97940e29d1bad6a

SHA1
362a10a202ee4f54dc6523e053251074495faf37

SHA256
153e581f772a4c6a71e0a88b498e099a9d179775a836906dde620de6c5fa4c43

SHA512
35f27952fedb537009f726ea026eed0b3d01b903cfeaa9202a0e40f2df253ead9f4b005a6a354be6004cca74955a4945c3e5e7163b00c24873657c7512112acb

Download Submit
C:\Windows\SysWOW64\Enihne32.exe

Filesize
243KB

MD5
5e489d55deafad66d74449a608393d29

SHA1
61995d8fe0fd2bf5d92a489e1d002308d201a05e

SHA256
0959e8156dd79b92666417cd9422a69642a8a4595b210ec16a9cad9569e82575

SHA512
343580547bcef0ca85b06daa774c02a082409e9bac15f85e69040bdc56935a02f4f76674eace4faba7cfb2f1bbb4a5d82a3e5cfc1c6197111959889696917cf0

Download Submit
C:\Windows\SysWOW64\Fbdqmghm.exe

Filesize
243KB

MD5
23d624b9e2832f3d8a59354ab4f54a8a

SHA1
65bf5c69e0acdb590b41021f1712f0a7452f0dd2

SHA256
da6595e681c53523c441bdcaefc7954acdb4e828e7f32974e114d6bfbc6eda65

SHA512
2ceb3036377835ae96fcb3da5fd5d939d2b12cb3c2b3eb763d6f591a08194dcd757a75052495f25f2ce07548b90ce759c131c60d2a85c60aecf4da25e7f2ac89

Download Submit
C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
243KB

MD5
acb3591f432dd49395df7f2a1dd4f3be

SHA1
4e834cd6b16eb2bc783044c3981024b3657fe701

SHA256
2c14ab7d53287c89a57c733ec446adb2222a286e4d5f8d10b91ce3230a4725db

SHA512
ef315da8b7a1ee7fa6382c51cdc0c2a5ad3f122da9c2c485fccd6fe5e827342279ff0b987b73fd56c67d709153a1ab8e1a2097497a4e36620f5266b521221c63

Download Submit
C:\Windows\SysWOW64\Fmcoja32.exe

Filesize
243KB

MD5
9cf00662d3b06c4cd1c85169c5e10f22

SHA1
de73f5b5fd287d6071a76c5397567816b4c566c5

SHA256
1f83368dfbda62c389aabec551435173c4d56a3ac99dce06cb0ed25f9f131fe8

SHA512
a988f3b8d24f3be9980da2cc08255f82310f36ee05c9d9bfe1a42005aa979b5e5e1f190d72073c227a9772b08d32b5f621f19ed21780fb0a13e1bc50a27a3035

Download Submit
C:\Windows\SysWOW64\Fpdhklkl.exe

Filesize
243KB

MD5
6ad47ccd802a3574b5c7c9579aa87dfd

SHA1
bb633689f094c471a7e748ce3e9e2a8daef4ad70

SHA256
cfb407e1cfffdc6bada284a308fd9457b1faece72e7f01345c40b7285c58ca3d

SHA512
36708917c2a63becf22a06be902e89aba5b2e9cd62421af5f6cf4180df88474533feb6e6d7ecd6a4e526ba356c48769fc6d442e14274489152fbab00d500223d

Download Submit
C:\Windows\SysWOW64\Fpfdalii.exe

Filesize
243KB

MD5
f8dd24bc521dec73618b01cadfdbfc7f

SHA1
911a089b6a255b91f5c22ef5640563cfee3e4752

SHA256
762203ec2804ee81ddb75b2ed7cbc2c7f96c6a0c0270db43c731cc44c9c204af

SHA512
2fdb7166bd17a1a90d27b34e82ea416574581795e564b316d9757e4dc0ea6f9213fbb03ddd9772e234575592c636362dc5e5cb666f9ecfa71f2f42bd417fd3ae

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
243KB

MD5
881509c793baef1067d8cf0a80936322

SHA1
b731b35a535e2e094730e6e9e509dce6a3124d4f

SHA256
d0d7b78365c18aa3e4909599092b68e7273714d6b148a4f3472c3c5a23337948

SHA512
81376e35e507143f72fe97f22c2ccce7d652edde5cd88d3ffc85b804273962e83c193e2e500843d8c1da9d85406703b96b66c82b6dcdc4517c0129bb42f245ca

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
243KB

MD5
b5a5378ea46740eb55f88dd1475c8be3

SHA1
20822f79423e6425160bf1af5efe6717b77c37a5

SHA256
a0a5e95da355d69dc211ac429793807f5751f445ec82c2eb1ec35533121e3634

SHA512
6a3fbb889737ce56d48918d366985ef3b6f2ef7708c48c2305252915fb9cf874e8e1d33920a1d806c090266e441f37e92d26faa44bda5697f7046592f2a3cda8

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
243KB

MD5
cbb681ef742e373c1607e826bc8a8915

SHA1
815d0e21c013a11c209e3cb7d9b940a337519cca

SHA256
3297b1a1a20de3cf5876a76adbf28fa2571f5fbc15f760c50f1a655dbaa04805

SHA512
5dc48e9a70ac6e7486cbdb2a2bda61b9ada794edad7272833857a791d2a08e5fa7b6aa01d2243018b05ed74b230340a757cee5d70191dd3265c18607e939621a

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
243KB

MD5
1aabe063c6ffb99b0dac20570f390bd8

SHA1
d31b3e8da2125a13b5c26e195a83de025ac6f45d

SHA256
807cc3d111ba36b4eb8b30a462ceddf021db6b00c7dc4c99a7e03850df465d3c

SHA512
80d276fb7941dd0b6d13fc6aa0220239669d5bb75be41fce31ca1ed5858c389b6735e2f28fbf181a9193bf7dbaf809d5b0311e1b39d9b9f4c78fcefbd196bc6d

Download Submit
C:\Windows\SysWOW64\Ggpimica.exe

Filesize
243KB

MD5
3f2888362653805c31cf0fd76b71c8ba

SHA1
c35c700ec63eae73edb2ccc6516020c96d12fad7

SHA256
2f39a00b920a146793f23f7557e6e7b788a3d0d3ee5af0e4eb99ceb79e3e2fcf

SHA512
62e45ec8bc13ef7fb8541bc160d93bd7cbf1f2a843adf2fccdb18c7cef58e3d26ec07c834e19cfc57e6495af980305acbd3741595d7cc558ff049ee2c86b11c9

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
243KB

MD5
d2b596a6d26f445c428265e9bee7b9e2

SHA1
3498f99c06c1f09d0375d793edc6805ae89bb36e

SHA256
5cac07227974164fb73e560e72f732323e160455c25c5db671d83fbdeb497cf1

SHA512
b4c974b45502bbf5f1b2e04bd345c4b530029d55c18dc5de54368db31e8709bc57c35f27f713c57e68d98663d7aaa4a88d751193e53a0562636eca5de97e89e0

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
243KB

MD5
f28e7d3208bcd043042956818dcb6175

SHA1
8b87ffdc9216eef87279870cb5efb6b77dfd9d45

SHA256
47078a61042aa05d602401a86075fdb29c2763a50675e27fd336b8257ff17282

SHA512
fb5b6dff2294cb9b44ccbc338b6e7c0e9f23c329936ffaf9c038cedc0e385e088a7872475547cb7ec56c542162b736fed3fa43de1564917c67b4b9b94617bbb2

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
243KB

MD5
3be623cc2f9b80f51bfc7baa16bbd2fc

SHA1
75e33bf51ecdcf42868fe5d99c2ef4fbb2afb83a

SHA256
4594d247fb55600afdac667231decb8c5cc1090e7c59629d542b12289dad29a0

SHA512
f34e6f47d3e037d85f28426c10a514c7cdd71d7633f9c1964ea4463a029bfa4c6fa75a578a729f74c0f57ae2f0bc9a5194265032cfae782a836b9a40c4689d52

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
243KB

MD5
445c869b0f9af16c216b71f67e51e9e7

SHA1
b658c4abc0f0419be1a4cf78a87d602b52c2e193

SHA256
b71448f5bba4b9f50d1a8fe251abd538c2a2b6860321dc3a9919070ff8b936ee

SHA512
c85b3b25558631eb7c7ef5b5e5d84c6f8d674f9832a56e112779b353a6c646e8880e0233c509ecf2a99f6db19cb2679b665cade6d8a6a4f73e97d027dac01821

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
243KB

MD5
8508074c7bd8255ed0dc3098a7943ced

SHA1
ec9681353f462a5ab60a102a2d3555ae454dc305

SHA256
f000ba3dcf187574f67d89811cd95d2c4a75017652b1157b929fa021cb8c8651

SHA512
6f8683c970da0364a0079a0fdea516f2789706f8e813f1a7657bdbf55476ddb88ec9b4cc32f9467c74c40c5b29882e25b7ccb3058321d125ca3a5d8775628759

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
243KB

MD5
dda95fc1158873d23771252e9d2183a0

SHA1
06bf5173294131e61253eea11a938b1d06611be4

SHA256
c2ed2943d121846d25330bedb72bb07bafea73a9cc3a69189ae763e7d364a47b

SHA512
3d1d8702b0b6d584cad08459a6e39bfa928fade6fb998c2a00c80ff2c97c6c305490a6948bffdb795cb247fbcdd229613670526f85606890d1d47157db265478

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
243KB

MD5
0e83df7575f1cd1a4e80658a7ad74d58

SHA1
14fccb5b9b710a1f4df1d14b1442340e0ae9c237

SHA256
abd634432d3c713ff6b1670a2ebf2f5bb6f31acf92c62473e9f7b3842bba4717

SHA512
2ff2a33293f93defa72a446a22608aad87edadf8fb9c49413ac8bac6b7f5b8ff17d86d52d45e38fc8c18fb8e997c655be0d184b96f5fb79d62d9543070d543ee

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
243KB

MD5
d0ef71c02421238168688a65cde00c42

SHA1
1d9760995d1422c546803a57de518ff089d8a39f

SHA256
da882277f3e26d819075bd191af1f1474b451a341f11694fc92f0d469409b7ac

SHA512
b7602b72a4b2ce94a258120f49daca3c3021f9edd0fa2e446f507560b21ed014bc9c0ce0a8c470ef465f1089391378b94ff71cf39d7a18810af2052afedbb783

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
243KB

MD5
d3dfb031181c475f8b9ac83540482d7a

SHA1
79a1595a2db1720065785124c8e4500e79be04ba

SHA256
e80ce1a4b941998daa461acb247191943652c1240c6631ccd38091f3f2268d67

SHA512
7c7d491ea718497a0eb42dc56cd7a40bec51bbf843ee19f926e7d300eed7f224f9ec7bc0799410b5e84c3149966f67f7e287e8830ef7eac136a880868232147e

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
243KB

MD5
850774c6e35f5d5183b15d767c5abc10

SHA1
db3a69022ee6739d387300fd7d57a80fc2607185

SHA256
35c801332ecc639fe6dd4388bcad1b8bc1a37883c6ac245aac73acf667235429

SHA512
56698282f7aa70b83473b960a7a0097f94ec6162a621c560a2a2759f71ffd73ea2b875cdaf8e8f18eece0886e802f6b54c0c0595596af9bb2e09d897c73f26eb

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
243KB

MD5
65db89b59f7ee25928f396b92bb7683e

SHA1
0bc0b7f05df51339b0eab1ebf802fdead34d4b64

SHA256
9e00abd400cfc82a86c2ff7d1029abdca9ecbaca7336e7907df6b4c336834ee3

SHA512
fc037a72dc5a19b46043c932cd12806fb0e201a51bc3907034eaf103448029ed364c54c17afdb41ea49085c7269d66b5b8c64d70118804ba94889bfa03611c82

Download Submit
\Windows\SysWOW64\Chhjkl32.exe

Filesize
243KB

MD5
f9da252624fde83c264c2f9d17c30ff6

SHA1
10c2e78782f3848291dfe70ed2fecb067be541c7

SHA256
521b66d08b84f8e7ffb4f9e727b7386594fa95a379c30e73ea250d28c7521471

SHA512
f5d1bc6866940ce418697aab363e3ddaacc635175ef93b59be5ee1825312f0f6d246ed3216aa15554287844a65885dc3ddd4acfebca28d332c79f53e8e872a4a

Download Submit
\Windows\SysWOW64\Cljcelan.exe

Filesize
243KB

MD5
f276c35d33adecdfd205ff216581ab8c

SHA1
ac7fa5892ff7bdc84d6113b6f017889a9cad596b

SHA256
c2cf9b6ffe103cf332e81accfc74798c8fac234b2615482e5675cf81135bbd2a

SHA512
2e7641b975c0f7ac4c302cdd5b3abab14fd106e9af992ec7c46d3dad6dba156f44dd3421e369ce8686f0dc9a511fd8a62ebec848f4c79c1343b18bacea0ef62e

Download Submit
\Windows\SysWOW64\Comimg32.exe

Filesize
243KB

MD5
8f334cc5c42b4b9e956374d22d0b1fd7

SHA1
7682c6f34e7ef5b53bd197242a98229c9cc1fae9

SHA256
7c22cf5d4b0a152325e86ee6e26e6354f6baf925abb674b78bd20416dbd9d23d

SHA512
53092a5a285899f145db659a6a9b98d4ce92c1d3405be976894d47fdc63a5d0d2e59ea82554151ddf23460b338347e4a949c562b3b366a297cc20d64c6b5c283

Download Submit
\Windows\SysWOW64\Cphlljge.exe

Filesize
243KB

MD5
7cc132c76646f721dbdc6664a4c580bd

SHA1
d24ad3bdf6e03cbabfbb65087671f8890c515040

SHA256
39970d3235fa129e279923b8898e63c48c5331d566725b59feef615852ceb810

SHA512
1975166637ae92a38270e0dacf91d9b0f581cee5d209e1aad06bc1e1e85400fa804142faa036b4d59ea6373581170ee3d86484f1f2f096bfdc4ca1c1f16b1811

Download Submit
\Windows\SysWOW64\Dcfdgiid.exe

Filesize
243KB

MD5
c5cd5db7e4b764942b2acf5415f3e83f

SHA1
0fb2ae12fa4461f7582830833c40051992546b79

SHA256
3f55d16eca02b916fd6676bcba47bc085e748fcc33fd69d9f91df3fa9c8b6b62

SHA512
22fdf33e84bf476b63ad390600a73e2fbff407d48542f4eb5a4efae5d7b0bffe6b116c4495193dda53e5b724985208a113631f56fd961b94f3616752ae33edb2

Download Submit
\Windows\SysWOW64\Dfijnd32.exe

Filesize
243KB

MD5
aff5b303015508e53d055840fe86024f

SHA1
0234a2c37f191822e4972f918e03c1de4ac42405

SHA256
a85ec2348a7d6706bb5a0cbac6aab07452ece8e95d5b9b9690d637792e5d749a

SHA512
b1be254880cd41ecf2e7b6f097a9d97fc47c93ac4608e66e430232a2ac497a96fe1a08339d0d37f09df1df4672a255fe0240d5f93ab606902ae4703d992e20cf

Download Submit
\Windows\SysWOW64\Dhjgal32.exe

Filesize
243KB

MD5
c84f2421c7e53b3391ea56da0bdf9ac6

SHA1
32f34aa8f81d883751b96470b6ea8bbe4f7d3b3e

SHA256
0bb2b8e593bef2875f75e894029fd058f7a8f3c95ae71e895655587f67d6c622

SHA512
3e925ba8838034968a5ef3467bb63f0ba366372c04964dd6239aff051b4c066a185ea28ede2863499681e41998faf99080d766baa176842c44601ccab0549b16

Download Submit
\Windows\SysWOW64\Djbiicon.exe

Filesize
243KB

MD5
e8efa86f692d6fc9119ece16202032d3

SHA1
e403a13f3b65b86f2b35227c3b805771040804f4

SHA256
f49d181ae83596345ca7cc7658f75279b20a93ef080e6fed6daf7948c462ec58

SHA512
d94ae2ae8888cec876b4779565cb9bcaec2a229f153e2e39bf68b441d8d12fafa5fa96fd790c1decc4c6ec1af48cc79de9476c9270514bf663db84055062889b

Download Submit
\Windows\SysWOW64\Djnpnc32.exe

Filesize
243KB

MD5
9b80418ccf2b3408462732c4344b1802

SHA1
bd3705061d1470043938d5828f6c93fc6e9a8d20

SHA256
d43e3ced50dbc004dc7d0babd937330ce77def5ef0aaaa5770055b3b48fe5291

SHA512
539f85e95ff4a6eee29b9c52fd0ea44a44c4b6b2b3c905dc87d829f8f8f9d4bb9a90452a18576f44113d21ad6a2b64e08ef46aba334a31f8ff48e96e6dfab58b

Download Submit
\Windows\SysWOW64\Dqelenlc.exe

Filesize
243KB

MD5
74059881fa1189e8021685765da438dd

SHA1
0fd67562e3c37a617f58375d0953888cec166662

SHA256
e30c21c90142412e44bcdf2cfcd658bd41014208d145245fc372f5e9801732d6

SHA512
e7ce047b5ed069b6bee4ee5746f6d7626a2fbe45352036b20d4ef12533be980224437d7b644f1f1f229c446b75d7e8e10a09021d808cf04bf7910fb2d5d46e2c

Download Submit
\Windows\SysWOW64\Eeqdep32.exe

Filesize
243KB

MD5
3a98865e49f48e8cfe3a048a19223233

SHA1
6047e21c4aaec1f3764891df329a5429e4c9fed8

SHA256
0e83054dda7a48afdc4354c6dce949e4edb027197d23bcb1b9785e924594bb35

SHA512
b7278a8a0145ec44e8fa9f896522be84b8c331d4b6bfc2764bacced44377b8a4f6f15555100dcd4a9f6f7212d96186f5d1701951547237f97f6e78fd39fc439b

Download Submit
\Windows\SysWOW64\Eiaiqn32.exe

Filesize
243KB

MD5
14c45bc14b238339d15eefaba31efcd7

SHA1
5e13560dd36818a6ad029d46a0848a138d25c414

SHA256
c30887e57931f3a1893c5c5c12b9ade5102ace057d1e09b5f0577c70a4edca48

SHA512
06b0c58d19e1e9f0262f28481177cfdebfc8928ae66ec3e62052cc5b414f434d3af52ed24ff3717c34df1958d745bf6247dcc6f27baca5f0ad9b28c765485669

Download Submit
\Windows\SysWOW64\Ejgcdb32.exe

Filesize
243KB

MD5
d4330be4326a3799d06d59433e7c302b

SHA1
faf65b5d576826ed7381d37ea7ad096af334485a

SHA256
478b93698869834956f91325856f6c96c3d76b895c890be2368250a109ced29e

SHA512
4708df551dde526fcf4ddc9f20ec596cb199937b19c9fde0b3edbbd2bd856073ac734e78cf81274a81665967ac1bc5b738fcabbfa67feec8167a78afc96d6e35

Download Submit
\Windows\SysWOW64\Fjdbnf32.exe

Filesize
243KB

MD5
5ad3faf2d8a0f437f85cfe398e4da258

SHA1
c4cd3368a12b062afa27dfda2113be8978d9fdb3

SHA256
16cbc09da2e201b350d94b7f91647e67b8316a95be5e751d33da43ad770bf68b

SHA512
dab0400edea89dcd93ec298409677c8632d6f6a9f1db65358489fb4a48268de037d4af71eaa7d54f2c23e266a4bd94c67a2690aac9035b0e36229b15547fd4e8

Download Submit
memory/1236-65-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1236-53-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1236-514-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1312-257-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1312-258-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1460-227-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1512-157-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1512-528-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1580-301-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1580-307-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1580-311-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1592-438-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1652-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1652-439-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1652-506-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1652-449-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/1652-6-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/1740-281-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1740-291-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1740-287-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1752-312-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1752-326-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1752-323-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1824-231-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1824-237-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1876-280-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1876-270-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-276-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1928-171-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1928-530-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1928-159-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1940-265-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1940-259-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1940-269-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1988-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1988-24-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1988-508-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1992-344-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1992-339-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1992-333-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2148-238-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2148-251-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2148-250-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2232-332-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2232-331-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2440-518-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2440-86-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2440-79-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2452-377-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2452-373-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2476-395-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2476-404-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2476-405-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2496-520-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-97-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2508-415-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2508-410-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2508-416-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2540-510-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-27-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-35-0x0000000002040000-0x00000000020A7000-memory.dmp

Filesize
412KB

Download
memory/2552-363-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2552-364-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2552-354-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2644-188-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2644-202-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2644-551-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2644-196-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2676-512-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2700-384-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2700-393-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2700-394-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2756-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2756-526-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2756-144-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2788-173-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2788-187-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2788-181-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2788-547-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2812-516-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2820-111-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2820-522-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2820-114-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2844-383-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2864-203-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-218-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2864-211-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2888-300-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2968-426-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2968-425-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2984-524-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3000-437-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/3000-436-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/3000-428-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3040-348-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3040-353-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads