34b0b0c9230d17bdf2d21565a3863329ae941a1cd556885683399ea3d51bb835

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Size

6.4MB
MD5

7e3501e16b27b4af59b69e362f372860
SHA1

244e77cf9eb11cdf86f59679d8137b940de37dde
SHA256

34b0b0c9230d17bdf2d21565a3863329ae941a1cd556885683399ea3d51bb835
SHA512

3c45226f81486342ee792c356a8afda657d087f52f2575988695c46e7da920917cb380adab900bb0560ec54a8f50b4268906f08b24952320aecbdd415e1d192d
SSDEEP

98304:RN6Gn9646r6VatuKLXZnatuKLXZqatuKLXZ:RnalLXValLXsalLX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlmlecec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adpkee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmcbbki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaiibg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhdlkdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlmlecec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adpkee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhdlkdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbmcbbki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadloj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadloj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe

Executes dropped EXE 18 IoCs

pid	Process
1992	Gieojq32.exe
3020	Gacpdbej.exe
2744	Ilknfn32.exe
2796	Inljnfkg.exe
2692	Mlmlecec.exe
1984	Nhdlkdkg.exe
2128	Adpkee32.exe
2764	Aadloj32.exe
2900	Djklnnaj.exe
2116	Dbfabp32.exe
2156	Fjaonpnn.exe
320	Fbmcbbki.exe
1596	Lfpclh32.exe
1100	Ndhipoob.exe
2852	Npojdpef.exe
804	Oaiibg32.exe
692	Bobhal32.exe
2320	Cacacg32.exe

Loads dropped DLL 40 IoCs

pid	Process
2056	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
2056	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
1992	Gieojq32.exe
1992	Gieojq32.exe
3020	Gacpdbej.exe
3020	Gacpdbej.exe
2744	Ilknfn32.exe
2744	Ilknfn32.exe
2796	Inljnfkg.exe
2796	Inljnfkg.exe
2692	Mlmlecec.exe
2692	Mlmlecec.exe
1984	Nhdlkdkg.exe
1984	Nhdlkdkg.exe
2128	Adpkee32.exe
2128	Adpkee32.exe
2764	Aadloj32.exe
2764	Aadloj32.exe
2900	Djklnnaj.exe
2900	Djklnnaj.exe
2116	Dbfabp32.exe
2116	Dbfabp32.exe
2156	Fjaonpnn.exe
2156	Fjaonpnn.exe
320	Fbmcbbki.exe
320	Fbmcbbki.exe
1596	Lfpclh32.exe
1596	Lfpclh32.exe
1100	Ndhipoob.exe
1100	Ndhipoob.exe
2852	Npojdpef.exe
2852	Npojdpef.exe
804	Oaiibg32.exe
804	Oaiibg32.exe
692	Bobhal32.exe
692	Bobhal32.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djklnnaj.exe	Aadloj32.exe
File opened for modification	C:\Windows\SysWOW64\Fjaonpnn.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Fbmcbbki.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Adpkee32.exe	Nhdlkdkg.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Oaiibg32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Ncdbcl32.dll	Adpkee32.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Aadloj32.exe	Adpkee32.exe
File created	C:\Windows\SysWOW64\Fjaonpnn.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Nhdlkdkg.exe	Mlmlecec.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Fbmcbbki.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
File created	C:\Windows\SysWOW64\Mlmlecec.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Nhdlkdkg.exe	Mlmlecec.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Inljnfkg.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mlmlecec.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Dkjgaecj.dll	Nhdlkdkg.exe
File created	C:\Windows\SysWOW64\Ecdjal32.dll	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Olhfdohg.dll	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Djklnnaj.exe	Aadloj32.exe
File opened for modification	C:\Windows\SysWOW64\Adpkee32.exe	Nhdlkdkg.exe
File created	C:\Windows\SysWOW64\Fbmcbbki.exe	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Lfpclh32.exe	Fbmcbbki.exe
File created	C:\Windows\SysWOW64\Mhdqqjhl.dll	Npojdpef.exe
File created	C:\Windows\SysWOW64\Onmddnil.dll	Mlmlecec.exe
File opened for modification	C:\Windows\SysWOW64\Aadloj32.exe	Adpkee32.exe
File created	C:\Windows\SysWOW64\Dlkaflan.dll	Aadloj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Dbfabp32.exe	Djklnnaj.exe
File opened for modification	C:\Windows\SysWOW64\Fbmcbbki.exe	Fjaonpnn.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Gmndnn32.dll	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Hoogfn32.dll	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Oaiibg32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Ilknfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
380	2320	WerFault.exe	45

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhdlkdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adpkee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adpkee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll"	Aadloj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhfdohg.dll"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadloj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Fbmcbbki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlmlecec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdqqjhl.dll"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbmcbbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmddnil.dll"	Mlmlecec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdbcl32.dll"	Adpkee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhdlkdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadloj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll"	Nhdlkdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlmlecec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbmcbbki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7e3501e16b27b4af59b69e362f372860_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1992	2056	7e3501e16b27b4af59b69e362f372860_NEIKI.exe	28
PID 2056 wrote to memory of 1992	2056	7e3501e16b27b4af59b69e362f372860_NEIKI.exe	28
PID 2056 wrote to memory of 1992	2056	7e3501e16b27b4af59b69e362f372860_NEIKI.exe	28
PID 2056 wrote to memory of 1992	2056	7e3501e16b27b4af59b69e362f372860_NEIKI.exe	28
PID 1992 wrote to memory of 3020	1992	Gieojq32.exe	29
PID 1992 wrote to memory of 3020	1992	Gieojq32.exe	29
PID 1992 wrote to memory of 3020	1992	Gieojq32.exe	29
PID 1992 wrote to memory of 3020	1992	Gieojq32.exe	29
PID 3020 wrote to memory of 2744	3020	Gacpdbej.exe	30
PID 3020 wrote to memory of 2744	3020	Gacpdbej.exe	30
PID 3020 wrote to memory of 2744	3020	Gacpdbej.exe	30
PID 3020 wrote to memory of 2744	3020	Gacpdbej.exe	30
PID 2744 wrote to memory of 2796	2744	Ilknfn32.exe	31
PID 2744 wrote to memory of 2796	2744	Ilknfn32.exe	31
PID 2744 wrote to memory of 2796	2744	Ilknfn32.exe	31
PID 2744 wrote to memory of 2796	2744	Ilknfn32.exe	31
PID 2796 wrote to memory of 2692	2796	Inljnfkg.exe	32
PID 2796 wrote to memory of 2692	2796	Inljnfkg.exe	32
PID 2796 wrote to memory of 2692	2796	Inljnfkg.exe	32
PID 2796 wrote to memory of 2692	2796	Inljnfkg.exe	32
PID 2692 wrote to memory of 1984	2692	Mlmlecec.exe	33
PID 2692 wrote to memory of 1984	2692	Mlmlecec.exe	33
PID 2692 wrote to memory of 1984	2692	Mlmlecec.exe	33
PID 2692 wrote to memory of 1984	2692	Mlmlecec.exe	33
PID 1984 wrote to memory of 2128	1984	Nhdlkdkg.exe	34
PID 1984 wrote to memory of 2128	1984	Nhdlkdkg.exe	34
PID 1984 wrote to memory of 2128	1984	Nhdlkdkg.exe	34
PID 1984 wrote to memory of 2128	1984	Nhdlkdkg.exe	34
PID 2128 wrote to memory of 2764	2128	Adpkee32.exe	35
PID 2128 wrote to memory of 2764	2128	Adpkee32.exe	35
PID 2128 wrote to memory of 2764	2128	Adpkee32.exe	35
PID 2128 wrote to memory of 2764	2128	Adpkee32.exe	35
PID 2764 wrote to memory of 2900	2764	Aadloj32.exe	36
PID 2764 wrote to memory of 2900	2764	Aadloj32.exe	36
PID 2764 wrote to memory of 2900	2764	Aadloj32.exe	36
PID 2764 wrote to memory of 2900	2764	Aadloj32.exe	36
PID 2900 wrote to memory of 2116	2900	Djklnnaj.exe	37
PID 2900 wrote to memory of 2116	2900	Djklnnaj.exe	37
PID 2900 wrote to memory of 2116	2900	Djklnnaj.exe	37
PID 2900 wrote to memory of 2116	2900	Djklnnaj.exe	37
PID 2116 wrote to memory of 2156	2116	Dbfabp32.exe	38
PID 2116 wrote to memory of 2156	2116	Dbfabp32.exe	38
PID 2116 wrote to memory of 2156	2116	Dbfabp32.exe	38
PID 2116 wrote to memory of 2156	2116	Dbfabp32.exe	38
PID 2156 wrote to memory of 320	2156	Fjaonpnn.exe	39
PID 2156 wrote to memory of 320	2156	Fjaonpnn.exe	39
PID 2156 wrote to memory of 320	2156	Fjaonpnn.exe	39
PID 2156 wrote to memory of 320	2156	Fjaonpnn.exe	39
PID 320 wrote to memory of 1596	320	Fbmcbbki.exe	40
PID 320 wrote to memory of 1596	320	Fbmcbbki.exe	40
PID 320 wrote to memory of 1596	320	Fbmcbbki.exe	40
PID 320 wrote to memory of 1596	320	Fbmcbbki.exe	40
PID 1596 wrote to memory of 1100	1596	Lfpclh32.exe	41
PID 1596 wrote to memory of 1100	1596	Lfpclh32.exe	41
PID 1596 wrote to memory of 1100	1596	Lfpclh32.exe	41
PID 1596 wrote to memory of 1100	1596	Lfpclh32.exe	41
PID 1100 wrote to memory of 2852	1100	Ndhipoob.exe	42
PID 1100 wrote to memory of 2852	1100	Ndhipoob.exe	42
PID 1100 wrote to memory of 2852	1100	Ndhipoob.exe	42
PID 1100 wrote to memory of 2852	1100	Ndhipoob.exe	42
PID 2852 wrote to memory of 804	2852	Npojdpef.exe	43
PID 2852 wrote to memory of 804	2852	Npojdpef.exe	43
PID 2852 wrote to memory of 804	2852	Npojdpef.exe	43
PID 2852 wrote to memory of 804	2852	Npojdpef.exe	43

C:\Users\Admin\AppData\Local\Temp\7e3501e16b27b4af59b69e362f372860_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\7e3501e16b27b4af59b69e362f372860_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\Gieojq32.exe
  C:\Windows\system32\Gieojq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\Gacpdbej.exe
    C:\Windows\system32\Gacpdbej.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Ilknfn32.exe
      C:\Windows\system32\Ilknfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Inljnfkg.exe
        
        C:\Windows\system32\Inljnfkg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\Mlmlecec.exe
        
        C:\Windows\system32\Mlmlecec.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Nhdlkdkg.exe
        
        C:\Windows\system32\Nhdlkdkg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Adpkee32.exe
        
        C:\Windows\system32\Adpkee32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Aadloj32.exe
        
        C:\Windows\system32\Aadloj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Djklnnaj.exe
        
        C:\Windows\system32\Djklnnaj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Fbmcbbki.exe
        
        C:\Windows\system32\Fbmcbbki.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Oaiibg32.exe
        
        C:\Windows\system32\Oaiibg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        19⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bobhal32.exe

Filesize
6.4MB

MD5
d7a627f0990359f64c3867e0d24ceb36

SHA1
9738e22cbb631573add184b7c2d2198d765d7b9b

SHA256
f22daab94f7c3b5b91d1449bbdc98d144968e515abd5262a94df594bbe163aef

SHA512
21381bb54c6e54a22b2ae3cd8f2d085a53434142f4a2d7082229b1da3ee9301e33453ace407b2ffb55762b6dc9b0e4bf058bde6217c2622372fdb23a608ab85b

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
6.4MB

MD5
0cae55a9f8b018f1b541bb146a12f00f

SHA1
5c185f577a7c3e6b2052ea8695ca59c4fd4cb089

SHA256
3bdfa3ae59df94bd938aefb166e5e2fa61d6657f7ac172f9f08158512a2436db

SHA512
973836140f9bee1ab93f7fde2b5d3262c07f7151296b67cbb9e74d47c6328047e5561f2b3ad556d5f8726024cead405e694db1fe42ebca2d0acd441ad3a6b94e

Download Submit
C:\Windows\SysWOW64\Fbmcbbki.exe

Filesize
6.4MB

MD5
37936586ece65dc1aee4e213ce7be49f

SHA1
e1ce44fe38c40269558536e3282994e4582dbf4c

SHA256
9357e3e099b5c81dea35f06d4f3b72febe4680d40814e28ac56982cd1a357674

SHA512
4679db3e37bfec721ebb26df05565f188ac18123e39385a39dbef70ab17a24575c543b8c6411e79ee1f0cc43235327e6b704c3b79cd52704165e38888d6ca377

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
6.4MB

MD5
c139a2e3d32b1d8148e3b4b06d460bc2

SHA1
79b87ac59e1987ad093a6760930e218ad701b2cb

SHA256
c657f49217e97176c4593431b9ea34f43ba26b834bf26495b309e6f712bc3883

SHA512
b3b8385573bbce209a6769ced03eeaea82cae07b7a5340f8d14c988f8deec69b0db85c3c9cf1a5a827eebea4ba33a216a2b4197ec8d27968645e1ea3312c95fa

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
6.4MB

MD5
d49fee61f5f34344e34e63e83a6190a8

SHA1
820b7e01a71b86149dc0812537b82f60adf4d103

SHA256
984b88222e3aae00d53b1b586b15d849ece2d3ced13ec6043a619f2f9914af76

SHA512
3426094c4ec3d5345bc78cf62ef3d5f1b1e933dc1ad2401fd66165881ffe98d48960de0524b0dd75fad3d282f3901b4f9e4250a36882c239b9bc7d8f93c6ff04

Download Submit
C:\Windows\SysWOW64\Mlmlecec.exe

Filesize
6.4MB

MD5
72f29925c3de8034d375b2d039640df6

SHA1
d326a6cc3e71b460fe44d3a8edea4ab46d8dd65a

SHA256
17d12c98c9821e4a73a3cfb8b562fc6f93e505df13a2647ccf0213c7795ee66e

SHA512
492590f4e93ee58fa56e4740a8ba5306693430bfa7dcd4eb9cde31a195caf4c8e1e64103cf0e830f91d79162531c3029986a13d6b568289482385e8d960d5690

Download Submit
C:\Windows\SysWOW64\Nhdlkdkg.exe

Filesize
6.4MB

MD5
61adecf711fafcde3fc50bbff27e8f31

SHA1
b495d1b566401e6e0ede1804b849c42f3e8fedbd

SHA256
22f64ac8d53d184dc31b77b691f1b4172e20319592aecdadf96c7e923f2b1f97

SHA512
f7a4f196f53a2e931ddd3bd9c36b2ec6ebdaf45b98b170704db0c8dbc93e79b73b663a415d186617457840e91b1f919cc4ac17dfc35ba41549e3e2bf00c3b0ee

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
6.4MB

MD5
cb8786d23d0d048764e837d37ef14473

SHA1
e51e5b3d2cf7c85b74c16891c6d0c08289de91c3

SHA256
de1f3e8333dcd0f05e41240c1057329fcefda1ec959723bac7a281ee61a0ca15

SHA512
684f10b3ae9e28f0b9d2dde7a9407fd769f1ca08376e1ba2eb725d88027f0623f1968b0c808c2b9481360c5905e805b9b76ddf69f55a3b3bc239b040794d98e0

Download Submit
\Windows\SysWOW64\Aadloj32.exe

Filesize
6.4MB

MD5
9c6a31b2a34448360d3ba261511b63ed

SHA1
15db275fecb333498884787f12d89577cb20d1dc

SHA256
fa17dfc2e976591688422136f81f4259b5d6ff3cc123c563649fde57388f24be

SHA512
a5e506539ab17bbdcab3a6b92b644e22e19a440bba0b82077d5e3e700510469a415ede4b9fc3db3792390256afb7377bd07bf34353e220cbd44b0ae5625dd581

Download Submit
\Windows\SysWOW64\Adpkee32.exe

Filesize
6.4MB

MD5
d116e4a16851d898b514811931b2b23e

SHA1
d7ec32cbe1380d742c5c3ddefb54459f391fd7dc

SHA256
5d02d4fc1da78f4d56674d08213e5a231a015d79b7d741b52426ad5d43e8467f

SHA512
1fb7c97ee32c794e18923f72739759f30c5fbd5e34b15e84bba41e513a66db53b04d5e3aa7619fe351f47e38dd5191d816ab7e5da6a2ccca8486628763cbf2c1

Download Submit
\Windows\SysWOW64\Dbfabp32.exe

Filesize
6.4MB

MD5
8ede240347aa9d3b7e6fc252d93e8c44

SHA1
322346e23017e2fc811f89b411bf6633653748a0

SHA256
d5117830652dae1336997f651ab36e49f45895185efb66cc5f0432030068f99d

SHA512
9faf91a7df3ec70e5d38f5dadcdcd932db1e58c6beaff0ab3f7f94366c91415cad21c175b6caf65c1f8500e94508f7fed195d0fa34e70b6cf6180d01ff7a647f

Download Submit
\Windows\SysWOW64\Djklnnaj.exe

Filesize
6.4MB

MD5
a0615a2e53d09c177fda349562776f41

SHA1
ff06776a599fc85d6de4353cdc6d966237c37cc8

SHA256
de9de9235e355732e0d18e97e3c55f255cb889e9576cc8921fd3ccbebdc4edea

SHA512
77a6f8cf95859b038fed54c1ce8fa503d111383cd8118fcf0238e75ee7a164829d39d1fd83bb8b2841322832acba43b784fc1b3e410f79c0f5bbc57f3a3c6d87

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
6.4MB

MD5
3f247c7f40a38751e775097fd725bc54

SHA1
a94757db4ce11cf592e12b28193e0cc8d603bac4

SHA256
c71471cd153bc2e3a4517226bbd8f073d556fe34efc3714d2b766f53c9a88bd6

SHA512
b8db1b6b0c8a42fef5df23089b57959b81a0156b32e58a9b754a0c2870b63d8a7c2feb0d55a1a75539003ce637e835e027ec92861401608df51dfb3e2639fc8d

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
6.4MB

MD5
8b9899f560f937f28017b13dfef43246

SHA1
f5f0ec7ec8fa4d90fe41a8ae4dac83a33302f579

SHA256
dfa908412bc0904272d68d7261bf9cfdcd13e428447dc163aae7b16ae9108ae8

SHA512
ef9bd4ecc4aa2bc372875322ac3e9118326e683e8c4476bcf134ff76bce0f3807912f3f136e47a371dd6b297bc85d9a51b471bd344c804afdd3bbced6400e7d0

Download Submit
\Windows\SysWOW64\Ilknfn32.exe

Filesize
6.4MB

MD5
126d4187efb35876b669c8c5bb1c7ef1

SHA1
2c4b77ef6a25204c5698a9a5f387452496667a4a

SHA256
e937dcf6973af8a4b24a01873ac7cf0ddcd747ca59dcfe4b8cf7d6ca732292b2

SHA512
b1318d86d063706063c88a656a1ed01a70e91f10e35d85cd57206bcf48c2ea8611f41ee5e5d36a96e2d348683a01d99e5e35456a7dff064ef9ea9c39db7a90f2

Download Submit
\Windows\SysWOW64\Lfpclh32.exe

Filesize
6.4MB

MD5
b433ea4bab83357e42b43bc4701eb0b3

SHA1
4611dec90896b0e210b125ed15078944506e4789

SHA256
5dd47cad8ccc655a87d56574fd30585dff96155cc42446b84e3c4086fc77c671

SHA512
84a889c204c6c1d7435b6710a019b10093180efea78b3233923401ed8bde324a24636655ec45abf9730bae45c0eb6eda0110d6656dbdf204d7c7a78687459c9a

Download Submit
\Windows\SysWOW64\Ndhipoob.exe

Filesize
6.4MB

MD5
f2be614c8dbbe4166b0d27ec392fd93e

SHA1
08e1a7ee4315529eccf81ab03d33d1e378b6875a

SHA256
604087af682bb04ef5ecc84f959104f7ed31709a0e27bac7218c75d5d41d0c70

SHA512
e3755d06aa7966cee25497dbba3d320478fb8b7ab1ceaef9240363a6db4c592cb4be89e813d43484345d8b65add560edb6075b35b483742117da50384194d639

Download Submit
\Windows\SysWOW64\Oaiibg32.exe

Filesize
6.4MB

MD5
e5787e537d71c55699daa6eace392e62

SHA1
c2ff3b1ca4c88d40220dbe7643e464db6f5e8a08

SHA256
45154f3994790befc9ba571a9b0dfe08447eba91831cb296649bceaa6246731b

SHA512
01e81fbfe3c70fc714dd02706143ad057fa0e53fd9eb52adbef00b8b469652d662b88a2c4ea703fd2fb660d00d1c42ec195a7f861a1d5be313f38f01feab60a3

Download Submit
memory/320-179-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/320-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-180-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/320-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-235-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/804-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-26-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1992-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2056-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2056-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-83-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2692-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2692-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-47-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3020-46-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3020-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads