493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Size

196KB
MD5

0321ad0fbca8a5aa42b1cc04ec046ba0
SHA1

fe36177934dd73a525713a9d1f4be6b7d9670e16
SHA256

493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565
SHA512

f4e69b914922194b4e0a5530c2294d3cc116f910410ba1841359ccf97463ae4a00cba8f0d4f69aaaeba274218685932061129b022d83af2454abdcaa716ee322
SSDEEP

3072:TJ0fq4421D/oE5cKueKgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ+uFli55p1:TVF2Ws5BrtMsQBvli

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dflkdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eeempocb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddagfm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqhhknjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djbiicon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnpnndgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dflkdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnpnndgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djbiicon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Henidd32.exe

Executes dropped EXE 39 IoCs

pid	Process
1560	Dflkdp32.exe
2448	Ddagfm32.exe
2900	Dqhhknjp.exe
2752	Dnlidb32.exe
2764	Djbiicon.exe
2572	Dfijnd32.exe
2680	Ecmkghcl.exe
2808	Ekholjqg.exe
2332	Eeqdep32.exe
340	Enihne32.exe
2568	Eeempocb.exe
476	Ejbfhfaj.exe
1636	Fnpnndgp.exe
2256	Fhhcgj32.exe
3028	Ffnphf32.exe
1476	Fpfdalii.exe
1336	Flmefm32.exe
1000	Ffbicfoc.exe
672	Globlmmj.exe
1536	Gonnhhln.exe
616	Glaoalkh.exe
1756	Gpmjak32.exe
3024	Ghhofmql.exe
2020	Gobgcg32.exe
2360	Glfhll32.exe
2412	Goddhg32.exe
2996	Gkkemh32.exe
1600	Gaemjbcg.exe
2652	Hiqbndpb.exe
2760	Hahjpbad.exe
2644	Hlakpp32.exe
2832	Hckcmjep.exe
2524	Hnagjbdf.exe
1640	Hcnpbi32.exe
2740	Hjhhocjj.exe
2824	Hcplhi32.exe
1656	Henidd32.exe
796	Icbimi32.exe
928	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2944	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
2944	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
1560	Dflkdp32.exe
1560	Dflkdp32.exe
2448	Ddagfm32.exe
2448	Ddagfm32.exe
2900	Dqhhknjp.exe
2900	Dqhhknjp.exe
2752	Dnlidb32.exe
2752	Dnlidb32.exe
2764	Djbiicon.exe
2764	Djbiicon.exe
2572	Dfijnd32.exe
2572	Dfijnd32.exe
2680	Ecmkghcl.exe
2680	Ecmkghcl.exe
2808	Ekholjqg.exe
2808	Ekholjqg.exe
2332	Eeqdep32.exe
2332	Eeqdep32.exe
340	Enihne32.exe
340	Enihne32.exe
2568	Eeempocb.exe
2568	Eeempocb.exe
476	Ejbfhfaj.exe
476	Ejbfhfaj.exe
1636	Fnpnndgp.exe
1636	Fnpnndgp.exe
2256	Fhhcgj32.exe
2256	Fhhcgj32.exe
3028	Ffnphf32.exe
3028	Ffnphf32.exe
1476	Fpfdalii.exe
1476	Fpfdalii.exe
1336	Flmefm32.exe
1336	Flmefm32.exe
1000	Ffbicfoc.exe
1000	Ffbicfoc.exe
672	Globlmmj.exe
672	Globlmmj.exe
1536	Gonnhhln.exe
1536	Gonnhhln.exe
616	Glaoalkh.exe
616	Glaoalkh.exe
1756	Gpmjak32.exe
1756	Gpmjak32.exe
3024	Ghhofmql.exe
3024	Ghhofmql.exe
2020	Gobgcg32.exe
2020	Gobgcg32.exe
2360	Glfhll32.exe
2360	Glfhll32.exe
2412	Goddhg32.exe
2412	Goddhg32.exe
2996	Gkkemh32.exe
2996	Gkkemh32.exe
1600	Gaemjbcg.exe
1600	Gaemjbcg.exe
2652	Hiqbndpb.exe
2652	Hiqbndpb.exe
2760	Hahjpbad.exe
2760	Hahjpbad.exe
2644	Hlakpp32.exe
2644	Hlakpp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dqhhknjp.exe	Ddagfm32.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Ecmkghcl.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fhhcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ndkakief.dll	Ekholjqg.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fhhcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Djbiicon.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Globlmmj.exe	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Ccdcec32.dll	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ljenlcfa.dll	Dfijnd32.exe
File created	C:\Windows\SysWOW64\Njcbaa32.dll	Dflkdp32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Hecjkifm.dll	Dqhhknjp.exe
File created	C:\Windows\SysWOW64\Jmloladn.dll	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Fpfdalii.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Dflkdp32.exe	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Dflkdp32.exe	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Eeqdep32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Ddagfm32.exe	Dflkdp32.exe
File created	C:\Windows\SysWOW64\Eeqdep32.exe	Ekholjqg.exe
File opened for modification	C:\Windows\SysWOW64\Eeempocb.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Fnpnndgp.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Djbiicon.exe	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Flcnijgi.dll	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Iecimppi.dll	Eeqdep32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfijnd32.exe	Djbiicon.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Glfhll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
592	928	WerFault.exe	66

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll"	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll"	Dqhhknjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eeempocb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdcec32.dll"	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dqhhknjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecmkghcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Fnpnndgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll"	Ecmkghcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll"	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddagfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnlidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll"	Dflkdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djbiicon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfijnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eeqdep32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1560	2944	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 1560	2944	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 1560	2944	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 1560	2944	493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe	28
PID 1560 wrote to memory of 2448	1560	Dflkdp32.exe	29
PID 1560 wrote to memory of 2448	1560	Dflkdp32.exe	29
PID 1560 wrote to memory of 2448	1560	Dflkdp32.exe	29
PID 1560 wrote to memory of 2448	1560	Dflkdp32.exe	29
PID 2448 wrote to memory of 2900	2448	Ddagfm32.exe	30
PID 2448 wrote to memory of 2900	2448	Ddagfm32.exe	30
PID 2448 wrote to memory of 2900	2448	Ddagfm32.exe	30
PID 2448 wrote to memory of 2900	2448	Ddagfm32.exe	30
PID 2900 wrote to memory of 2752	2900	Dqhhknjp.exe	31
PID 2900 wrote to memory of 2752	2900	Dqhhknjp.exe	31
PID 2900 wrote to memory of 2752	2900	Dqhhknjp.exe	31
PID 2900 wrote to memory of 2752	2900	Dqhhknjp.exe	31
PID 2752 wrote to memory of 2764	2752	Dnlidb32.exe	32
PID 2752 wrote to memory of 2764	2752	Dnlidb32.exe	32
PID 2752 wrote to memory of 2764	2752	Dnlidb32.exe	32
PID 2752 wrote to memory of 2764	2752	Dnlidb32.exe	32
PID 2764 wrote to memory of 2572	2764	Djbiicon.exe	33
PID 2764 wrote to memory of 2572	2764	Djbiicon.exe	33
PID 2764 wrote to memory of 2572	2764	Djbiicon.exe	33
PID 2764 wrote to memory of 2572	2764	Djbiicon.exe	33
PID 2572 wrote to memory of 2680	2572	Dfijnd32.exe	34
PID 2572 wrote to memory of 2680	2572	Dfijnd32.exe	34
PID 2572 wrote to memory of 2680	2572	Dfijnd32.exe	34
PID 2572 wrote to memory of 2680	2572	Dfijnd32.exe	34
PID 2680 wrote to memory of 2808	2680	Ecmkghcl.exe	35
PID 2680 wrote to memory of 2808	2680	Ecmkghcl.exe	35
PID 2680 wrote to memory of 2808	2680	Ecmkghcl.exe	35
PID 2680 wrote to memory of 2808	2680	Ecmkghcl.exe	35
PID 2808 wrote to memory of 2332	2808	Ekholjqg.exe	36
PID 2808 wrote to memory of 2332	2808	Ekholjqg.exe	36
PID 2808 wrote to memory of 2332	2808	Ekholjqg.exe	36
PID 2808 wrote to memory of 2332	2808	Ekholjqg.exe	36
PID 2332 wrote to memory of 340	2332	Eeqdep32.exe	37
PID 2332 wrote to memory of 340	2332	Eeqdep32.exe	37
PID 2332 wrote to memory of 340	2332	Eeqdep32.exe	37
PID 2332 wrote to memory of 340	2332	Eeqdep32.exe	37
PID 340 wrote to memory of 2568	340	Enihne32.exe	38
PID 340 wrote to memory of 2568	340	Enihne32.exe	38
PID 340 wrote to memory of 2568	340	Enihne32.exe	38
PID 340 wrote to memory of 2568	340	Enihne32.exe	38
PID 2568 wrote to memory of 476	2568	Eeempocb.exe	39
PID 2568 wrote to memory of 476	2568	Eeempocb.exe	39
PID 2568 wrote to memory of 476	2568	Eeempocb.exe	39
PID 2568 wrote to memory of 476	2568	Eeempocb.exe	39
PID 476 wrote to memory of 1636	476	Ejbfhfaj.exe	40
PID 476 wrote to memory of 1636	476	Ejbfhfaj.exe	40
PID 476 wrote to memory of 1636	476	Ejbfhfaj.exe	40
PID 476 wrote to memory of 1636	476	Ejbfhfaj.exe	40
PID 1636 wrote to memory of 2256	1636	Fnpnndgp.exe	41
PID 1636 wrote to memory of 2256	1636	Fnpnndgp.exe	41
PID 1636 wrote to memory of 2256	1636	Fnpnndgp.exe	41
PID 1636 wrote to memory of 2256	1636	Fnpnndgp.exe	41
PID 2256 wrote to memory of 3028	2256	Fhhcgj32.exe	42
PID 2256 wrote to memory of 3028	2256	Fhhcgj32.exe	42
PID 2256 wrote to memory of 3028	2256	Fhhcgj32.exe	42
PID 2256 wrote to memory of 3028	2256	Fhhcgj32.exe	42
PID 3028 wrote to memory of 1476	3028	Ffnphf32.exe	43
PID 3028 wrote to memory of 1476	3028	Ffnphf32.exe	43
PID 3028 wrote to memory of 1476	3028	Ffnphf32.exe	43
PID 3028 wrote to memory of 1476	3028	Ffnphf32.exe	43

C:\Users\Admin\AppData\Local\Temp\493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\493c255aa0dc348df137bd4609f884f68270adc5f6e6a3eee3c178475fe84565_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\Dflkdp32.exe
  C:\Windows\system32\Dflkdp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\Ddagfm32.exe
    C:\Windows\system32\Ddagfm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\Dqhhknjp.exe
      C:\Windows\system32\Dqhhknjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\Dnlidb32.exe
        
        C:\Windows\system32\Dnlidb32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Djbiicon.exe
        
        C:\Windows\system32\Djbiicon.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Dfijnd32.exe
        
        C:\Windows\system32\Dfijnd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ecmkghcl.exe
        
        C:\Windows\system32\Ecmkghcl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Eeqdep32.exe
        
        C:\Windows\system32\Eeqdep32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\Eeempocb.exe
        
        C:\Windows\system32\Eeempocb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ejbfhfaj.exe
        
        C:\Windows\system32\Ejbfhfaj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Fnpnndgp.exe
        
        C:\Windows\system32\Fnpnndgp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Fhhcgj32.exe
        
        C:\Windows\system32\Fhhcgj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        40⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 140
        41⤵
        Program crash
        
        PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfijnd32.exe

Filesize
196KB

MD5
8e820529c29adbb7fa79604fd04031a3

SHA1
28a8f9d054a5cdd9b8b22f74b5f1f699515d9e47

SHA256
c441ddff13445a42b4d390ebfed4e6bac708334a5dc3a3a22cd9c29e38fb97a6

SHA512
470d191a89b6a28753d3439a7dc3b194225f95d8d47556fa1b805972f280ec0f45427feb5e5261427256fae9557fb4e7c3dcd4033189f2d3fc83db53cce726e9

Download Submit
C:\Windows\SysWOW64\Dnlidb32.exe

Filesize
196KB

MD5
74d4f7b0885f28cb13f0fb3caa0ea1d4

SHA1
9df15cf9230839abf9f5b70320122a826734f79b

SHA256
58f466fd98d74e0239e1536f8d211beec86e9c70e7fb073fdaf9f42be330d0ff

SHA512
416e2976787e1ab2ccb77204d7536a2ea66ffadc14e76087d4a5f71736d65c0a835aba49f1ec0fc1ed90a31369c8137badba6ec3e7a60f3d56add93ab4a51737

Download Submit
C:\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
196KB

MD5
117a93b14a934d8d752946f4efb3dfcc

SHA1
8018dc74ccadeefefdfe0979b6b625224cd7c633

SHA256
c7043a077f82baed4d9afabef2f175487c8a1fc6df89ae604d51fa1088b24045

SHA512
8360ca556c0b83d57975f0ab3183a12628433cb324c3f2411f2b2d18f5cbad3a82c71f66671d2c5129a9ba36e4cf222ac37f9fedbef21b1d77620ddaed83379e

Download Submit
C:\Windows\SysWOW64\Enihne32.exe

Filesize
196KB

MD5
63250ac04a3d86479cbbf3f36dca2e9a

SHA1
1a6401c5349b80a0bd2325651acc7925b24d90f6

SHA256
410d236e5da1bf08e0e2fe4ce85c12c809954c8a16ab5b2231b180b7de27bad9

SHA512
65cd358f99b0d2c85766467751882efba8d1ec14578a46699adb00dbe4de5718469930b85b7668b506daf5ae685979a941c3c3ba105891d0e4940b6b432e64f1

Download Submit
C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
196KB

MD5
fa4b0b698d05cc84d30b04ed800c4186

SHA1
37b63b8901437777060a4dce169f4bcaf406c373

SHA256
d541bc1147f8cc0861ca62de45b6a219fdd7f0393bf8669efd829763eb6388e2

SHA512
5a049f2fa00b062fb96a2eb32adcc9c3b5ef5cd9115b384c16bcda0568d0859dee29753a3b2dd7fcbe66ca5fedc650fc1b4dd1758fe8b831ac1c5afbd7b82fc7

Download Submit
C:\Windows\SysWOW64\Flcnijgi.dll

Filesize
7KB

MD5
ca30971037ac450077232cd34bb13f9a

SHA1
438843d364a17f98b8f4d607e7a3c1bd524978f7

SHA256
9291a6eba908c611e0848c92559a3e0603bd40e74f1739f83814302135560130

SHA512
ee23a2e53c8424910a57410b7533cb5a17ba3dc17d163258d5875535c8cc23314d28538a05ff90dc8784c05deda80c68368fdd671305afc6645bb9ce9556d539

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
196KB

MD5
f8d304b2505b5e0f00cdf9bae80066bc

SHA1
ec4d09c01d563d1c16143dd13737b0303cfb9d1b

SHA256
957cc734919c55870f6a3376f5aba8ba0f756c3c44b1ae06021003f3266b6986

SHA512
86ee4d19f1484a779e849ba1ce440799af3b1cf6e4931e25e1c8af0ccba19482e65a7232e9c3821413e2d3ad561697ce71993bf6510d109b525dfb45ee89db69

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
196KB

MD5
8fd17bdbd61a578c29156001a7fc5510

SHA1
3f3d8041127a85423492a58705aeefabc7f49166

SHA256
e61bf41420d9db4b74adbded7a3ca21597dee758171fd71007b7a7e9218f5853

SHA512
7e5ed65047cfa8d3b1ae9f064ec397ab309914c7a7e4bf5931ad928fcafdd2661cad53bdc700cf0f260747b7e2e474f6fd32aa3173ea93c0957e380ca1724fab

Download Submit
C:\Windows\SysWOW64\Ghhofmql.exe

Filesize
196KB

MD5
037e2225303cdb911e899082b2d01c55

SHA1
752032e6474caccba93a8fa733437eb9c8b8b4bb

SHA256
ea51ee31591f36bc00652896509ba22a17721f1791d7372307325d2080a87e43

SHA512
eb2d2ac6cc11cd38a3f8435e37c26b8d70f35eba75e9d0402bc3036481a97da6de97d7a9aabed21a44ba1a1300e0e1c456f3b68372627da1205216638526312a

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
196KB

MD5
1ffc961f0dca9c9fdf1e230db6bfa329

SHA1
ef11dc1f42438340034849895bb63029cb8592d4

SHA256
fb5edfd37c7f4bc55eb96c47cc3bc3b1013892b4e052323564060bbd940007ea

SHA512
c3efef2b0077dc2d12d3d701d0af060828cfc107bb1eda4516eb090ab40ff76ffe2eb4d8d36d36d732ed5e3c6175f8efdbfb0833b5cd62e94d71d265c40c96f0

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
196KB

MD5
dd2e915bf5319ef96fa05467c7a4629a

SHA1
697979eb3a7da8daff57645e557898d9d4965b11

SHA256
81efa9b27cd71270d64ed2c120d33dbea14195e0b787390a12e8654d69cd4e75

SHA512
6f536cb7e9b8ac2e112da7ff20eb68951460e2276d299b304453bbc490eee559ff6f6e4508619d3e93706487a4eb0c000f24807bf11456bbf09e63a34d53c70d

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
196KB

MD5
4be6557fe0a38fcb1d05f45090d249e3

SHA1
7d8bc99968428c4316cf16ad848bca88fa1c70e4

SHA256
efb8df371fa8788acc498ebcef69ff8482565c34303469b4c79834eb11825c36

SHA512
2d56139ffab1f3cf390b8a925cad37fc8a9ab98aba94f2822524bae41fcfc6eea1457e9fe1089c9ace6c6852f72cb25b7d32416cf4bbb6891b7688b1fce7bdfb

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe

Filesize
196KB

MD5
e66a060efd6b4bc4d1a72007f0654fe7

SHA1
211f054ca492db8d710490240aae0d1483272a58

SHA256
049f25069334dfeb2762822c4536c4be6843694a32bf6479891fd71bc5747fd1

SHA512
c540d92f7345e0d723731a8976d729e80fa373f102640cfe43bf03d25feb3c31594269e6cbd04bd3d9ebbeba6b42f126b0986e6152c173c9eae34e7cd6adce32

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
196KB

MD5
bad5bd91bf74170f9bb47f4bf776fcd3

SHA1
2b24c131f27de00cac90ca612def08c30096a0ef

SHA256
f4fe8522eb8f11687e29bc4927c96e7b84a3105b6214d8c5e2cfb9d9a0ac63dc

SHA512
eb77b2e2844f47703ec61544b546fb16d110c0ce370bc67351ad96ee720ff96afc0bc1ec5e938f84770fdeff80f5fa89b4a4a26e6158a79cd5793b039401c0c1

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
196KB

MD5
07aad5fd3c960651eddba3b13630c8df

SHA1
26e2d7530e354caeab64108c2379941411704704

SHA256
5e17d8aebedae13fdbfc2714c5cfe5e603243d9c35dc9887934b64839711c68b

SHA512
95b6b33732881b07600c49eabe7cf6d6423fa7dafa261c2ab35eb37f30152e8f1be6bbca6b83ea48f14e2160b958db316be001ec4f01653d4a17067c0f1ece9e

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
196KB

MD5
39523fb90b5eef3955971a69753243cf

SHA1
f739c6e610e8362b2215140267276533ae039abc

SHA256
dd5a0baeb4929e74a241bc49fa121c35fa7a188759fa993503e6b6af4429c5db

SHA512
3a1c0dc05676a1c14f8a88dddec3bfe4e778bcd0767f1930dc4e67f6b3c11ab832672043bf67796633e1b8c87b51c9e8ec82264be81fbe39b9d99890fe835fc8

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
196KB

MD5
10ea5bc3de625820f2878d346f76df84

SHA1
a13645867da7f155fe9f8a6ddaa4746455da9cb2

SHA256
cc72321d32dc63fdfd77c8035f0e510217bb5704265ec3ef84d0c024ad0710b7

SHA512
31b2e887ffab56b37f6f880d6b7dfaee310cc8411ef9f6535e009fb5538a29d6224e39b1a1b6a13d6384f031af2b37c00a6f687edfbfc352fe6ef1fd6201db19

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
196KB

MD5
a21ef94b3ac7e93a7e03637b4c397505

SHA1
59184683c7944028a360cb9413cf94910c34e4ab

SHA256
13bb0b88d17cc2f82fde909c4f44f98a9de6775a7b4e20423dbe483af53e8c16

SHA512
ad9cd2d365b35d8d7c08a5731d71e0344a587fa68d2a604aa0c9e0621b5f7d3f0c9d1060be0f86b7020dd194803b590db3a365a8132b28cdc62761d159ac8641

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
196KB

MD5
b80132e808941905b7b945a7d23bbfc2

SHA1
9162313c09a30adcce9ed172d5a4d774b075f558

SHA256
9a00740dc9ab872914a510a53bf226e3f4a2906946abb09eda9724bad5e9125b

SHA512
9b6bf45b30b1c4ec11eba03152a75056a5fa2e33d9137c0fe8f92fd33e8368d8f3b405c40c7fb45bc79d59f8e9517efe6c39a7a70ec2a6af79477da5122b4d8b

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
196KB

MD5
a4919be1079d0dd95a198bcd18ee6604

SHA1
6c8dea4c5b8c16b7a5b71e592d494fab0a03ec2c

SHA256
dc5a480352de26bb8766a8a91afdc5adb18359e2af55df6d075608fe7557c697

SHA512
be66b8865878473a11dd6a3c6aaed6130d7c1e2860d49fe9b986fc5358e450e6f631fb9937c08004bda76974221fba1cff352b2232c4fff5a3ae1a6556a222e8

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
196KB

MD5
10648169b8537059fc6f1399684bb8e1

SHA1
d0d435f0c527b4fe59a88dada6d3783eed0dbcc7

SHA256
af69756b4940682f5f0443ffece9ce4d6118cdf464c093acc33e2976d8bc220f

SHA512
046feccb904de37ed1d190487540bac3800bb1bb94913660dbecc53be389de46a1566005712b49fe392c680731e34e502e0251fdba777c18c819869e35f88ca0

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
196KB

MD5
b9c1709624bd0cf2354e7be859f39e1e

SHA1
6553f25f3dd431dc8823138098349d0580d19d24

SHA256
a88ecb7af8bc6f92246dfac88453befdf8756416d9733b898198d5778fd94ab3

SHA512
3d370c22fe76d9f2f545bbe0169e5e8b68ebf46ebdebff1988639ba720034d9b8214d8baa596aa1b877dd3a9a3491526505f8e2040498511961248914feb8f9a

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
196KB

MD5
a64712259c7cf307e42154da7992e1d7

SHA1
c6df8e579ec585fcd432e265ea7ab79e9399e61b

SHA256
de31f33f91931d951b852dc0aaa4d02168960435886196c063764e2ed622ce40

SHA512
efb9549b0f9b2b9ef0c40653c25738144cec7037bc9db1434a10b813b499316449749c497ad578c99160cc557300d05fa7fe37ccd81a460d4632e3fee21fdda5

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
196KB

MD5
bd749807b74f242b9069913679641da5

SHA1
845999d68317b4b727c2401943951d6ab6d91af8

SHA256
2f0d3874bd03e393bf9e3962e198cd699516afd793e8b92644cca70ab4124578

SHA512
1e1f4dff2c9dcac59ae7d3dffca94988c1adec039cd7c2c983a59a71a24c67e98a170b5f01b37aadc38f0e612bf1a4be52af61e8bcf3c33c398b1e2a7643cdd6

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
196KB

MD5
c62efd3cd2afd28308615b5790e66f8d

SHA1
43974cb864b924de114f501bd58edd4353511836

SHA256
e554f04e3a04919f9c2689fdadc55d6e6dff5a1ae54ca923731e676a38a7f498

SHA512
b0415d21cb6677d5915ad791d594e4b3fd97ad465f64605b8409f0a9c53e4f0c11d0571ab6a2ab451eda4a95da5bcaef3b051db6188e279208f756c398a2a83e

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
196KB

MD5
f244406b75c8fb6d1bb164e90e47dfac

SHA1
80aba536b2079d3c873cc90c6d3c0a805b1138c9

SHA256
d0265f4396ca67f9645daced1eac82018de88d45b57dfba3043dde0ba98b13c2

SHA512
6b2d899b31d43fa65cd680e63fce08bfff8fbb1c9f25d8ebb05ce587e8893feb875524c4b2ff137e9ff8764eb315fcc100ab66971d5ac1c16dbacd4de46d34bf

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
196KB

MD5
7dd32fb5663a65f64c8749d229060e91

SHA1
0e79c21c0e52742e357ee1b3d50acf21d06db613

SHA256
868bb812cba470ecc3079f0cd3f5f7ec6bc257ca670fc3e872d286f18154ea16

SHA512
05c69592eb8689c148fa117894176bec1bf1b762f28d25eacbe921d02545adbf548bd884fe47102dab982622a68d7beac261a15fa1bb04ce17b3cb3b6f5bbdad

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
196KB

MD5
63f46c501e6836228863949ed79e6e1c

SHA1
23d208aee2e547be31623c1e47d5940d320b727f

SHA256
fb64da8402ccd2d28d2d14a4f4ac7bfe603ad11f728195daa29db8e91bbfb3ba

SHA512
29de49a22477435dc1f2c79e0aa86462df9daf2848208fa894bfa8f47c556b1894c1774b0ae9cf43e5ddfc62424232a9dc0d09707002b378268d6473de8c67ac

Download Submit
\Windows\SysWOW64\Ddagfm32.exe

Filesize
196KB

MD5
95fba1a038dc6a2fcc6ed22f1c266a90

SHA1
01d3fee1951741f4369d899eab57b7ee0c22c16d

SHA256
3737c6375a90fe72cb8976bb24b8daadf97c05464eef8a72bd6fe79ff31f207a

SHA512
98849c099d9b30e26d8ca929b3d5fe6c6bc9eff3ba776395a108cff47147e197c5e2c068a054cf736898594626982cc6dfd58043db7058e99de6a2572e8a20d6

Download Submit
\Windows\SysWOW64\Dflkdp32.exe

Filesize
196KB

MD5
8019bec4e25de15b060d3cbee0c89f6d

SHA1
d323734925dbb2f107c326a69a0950f26dcfac97

SHA256
1467fc442bdc2fcc75beeddfbfb72886713a3498af843b86b3dd99ffce8e9157

SHA512
124bf8d7993bdbe33a32f6d7a235a7dd3a48b116fc36c87592217aa61da4a5457f008c25ee487a224ec3c9482738d8695021565f53b7c89932190e2502f1b742

Download Submit
\Windows\SysWOW64\Djbiicon.exe

Filesize
196KB

MD5
5b8a59408f63bf1191df771fe9bc4af0

SHA1
d7384d710e4a3cccee09c26faccf44062a1ac22b

SHA256
ec39272fb55d910fbf46f49c9c1889bbaac6be9e89a552f774b21c89e84189f4

SHA512
df5a67bea511f3ac8f706d3006c9043c9e34046566c000290eb59ec401973c83d074b53309e5c43bbe926ac2e664e59873aa0eedad569389d24759efeff85643

Download Submit
\Windows\SysWOW64\Dqhhknjp.exe

Filesize
196KB

MD5
e253b6f4ec6b3a402244c2467c9e4ff8

SHA1
092c1125e59557581c65a275877097d1da6552e5

SHA256
a98f7abddb30c39baaf9861194c7b3b9053dd7702391bc36283c7ded3cfb5f02

SHA512
a2d6fd79959d82e1b6b71f558d0411ee6cac32c749eb8e41dabe0ab6c04e9f9728982fe04adaf68ae89eda4ff0355e4363d72119ac2012a00cc1c4f8a0917990

Download Submit
\Windows\SysWOW64\Ecmkghcl.exe

Filesize
196KB

MD5
cbfc7260b16a3f9d436a7134fe73f6c8

SHA1
2bb607143b1e75aad4d6080ee1c88a0728448bc3

SHA256
9dacf2d7d16ab083c4d25c2af2e4427b62938254fbb7b7e4fc766c42523da694

SHA512
9fd43743f20d8b7ae167a3f5a19d585c14c7f2f05198b8506fb9925167289d99f591421b479f5c6777adb8aafcdc5f2e44dcd402908bb586c764d84a3c457043

Download Submit
\Windows\SysWOW64\Eeempocb.exe

Filesize
196KB

MD5
c167543ff4da7f480bd2632713eda55f

SHA1
cdd0a34722f443b464bc1613d84142f292cd04c0

SHA256
128c46bbc988ca0baa8ba24f64939ecadbd91399d6012c75f504a11af5b04c17

SHA512
4c8a189fe29154eb4e98b9d0d309edc4349c53ba0c04d2b70bbeb57dc4d1b1ca34daa1d9dd9a10900ec1a8a8ad6944ea2de329df0db969208db1bbac657a86e1

Download Submit
\Windows\SysWOW64\Eeqdep32.exe

Filesize
196KB

MD5
694aa68d8646c5aa5d1bf46d0adf0005

SHA1
32f914cc3135074a2337f67fdd55e190925e538d

SHA256
715b7611b6e0731398707985f37aad618adea9d76c470fc4dd493e487c0eaa2b

SHA512
34a895153c8b46ddad0776bd08d55b700d9d66759adf3a95fad256ca11eccb2ad3a2d0809e240f8b85bfb1d21f46e4ba37b1a1c9c8568cf8ae54b6f1215938f3

Download Submit
\Windows\SysWOW64\Ekholjqg.exe

Filesize
196KB

MD5
313ca1c47f7198df5fa40ea504e487db

SHA1
674b8236159ff4e9675131d25a332ff81eab6666

SHA256
2fc371cc9e21a57a39d83fb6fc57c91e36e580535b6bb844fa90af6a4976cd2a

SHA512
32a328cbef8e01a3410dfec36e6adbd0881a4c3773c67baeb01eaddc0450c082a078f7d8c7e6e8c61b8c9aae7bda6da2bc9a557f3ac68b5d53b278264a330994

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
196KB

MD5
ee6b8d27df3a9ff9c10d6fb93de9d36b

SHA1
2db458534c5b2e11cc8ecf73eeea9a05d98684d7

SHA256
c07b55112ab13ddff475f65ecd157dfe34e03d4bff8be0e900d1d9e93ab4c646

SHA512
c2487040241b4b04e646e2892539defa64cf016a4fabd41a35bfee6c72823b0f01e3f6a2fca859ea0ba05ea5ef1dd3d9daa80ca2965e84f2d70534bb4f2a1780

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
196KB

MD5
917caca2a8e6152333ac2f0ad13a47d9

SHA1
31bc74ef5e55d40ddecb48f1114c2b4720dace6f

SHA256
3890c870ebc823ba25508458aaf5181b4ff1c89537a06d338eace088712d9d44

SHA512
c2d2daf84c911ff92dd59ef7f69ee8b6d632e9f8c4447052612ed1ec3a7a78de1fad225d1ab952edcc270f75ed28b5f5cd18c2737ed89b13e5eecced899c9ae2

Download Submit
\Windows\SysWOW64\Fnpnndgp.exe

Filesize
196KB

MD5
14324b474dfd77e1d1e284899e23dd9e

SHA1
1994a079e8af801c865abaca7fcddaf01a6f3e58

SHA256
64debbc8c8509deeddc681fdf49651bcbc41be68775c52c1f970a9835f2941ab

SHA512
d32e0f0a40205780b424f979f21a8f0f728797a5fe369919ec5fe59d8daad1f8dffa2495337e18476fa2e99017a126f694f9b763a070fdff846045b27ec91c10

Download Submit
\Windows\SysWOW64\Fpfdalii.exe

Filesize
196KB

MD5
07eec46debc5af1264663834b632c041

SHA1
217cdaad7f165abbf7e09d835f8624b63fae8924

SHA256
fe8b63ca0227bb2627257d4368c799cf9b1ca5bf002ff36d3edfa82c189889e8

SHA512
e6787403b72f144f9a7527d951daf9bf3b8a0b740af28ee8fdc607909b200f7d09b44df2e000562371e48112d1859f737eb3050cdf6f99b3da784242283ef7e8

Download Submit
memory/340-146-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/340-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/340-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/476-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/476-172-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/476-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/616-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-458-0x00000000006B0000-0x00000000006E3000-memory.dmp

Filesize
204KB

Download
memory/796-457-0x00000000006B0000-0x00000000006E3000-memory.dmp

Filesize
204KB

Download
memory/928-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-238-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1336-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-228-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1476-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-266-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1536-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-20-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1600-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-353-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1600-352-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1636-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-185-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1640-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-417-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1640-418-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1640-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-447-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1656-446-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1656-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-285-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1756-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-305-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2020-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-198-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2256-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-134-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2360-315-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2360-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-316-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2360-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-327-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2412-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-326-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2448-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-33-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2448-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-403-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2524-402-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2524-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-163-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2568-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-93-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2572-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-381-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2644-380-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2652-359-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2652-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-424-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2740-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-425-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-61-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2752-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-369-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-370-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2764-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-115-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2808-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-436-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2824-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-435-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2832-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-392-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2832-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-391-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2900-51-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-52-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2944-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-337-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2996-338-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3024-295-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3024-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-212-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3028-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads