984ad39877dca71dd502e17a78cab2b0ab4788483e1663c2ce9e9f37f97d971d

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe
Size

100KB
MD5

05931dbc01d29a73eb602e5ae0a2ee40
SHA1

7705638b6ff47d1e5344db87525c521adc84f4a6
SHA256

984ad39877dca71dd502e17a78cab2b0ab4788483e1663c2ce9e9f37f97d971d
SHA512

8a1a5432cb973f446b110e7c5c0d09e126624296712e3005f7413182ad3c1b4e25c667a03324aaa5590bca15807443f43a41c4bdc8a27044161025dd59089744
SSDEEP

3072:CFvm+25xi5Ph9C6T5V47QFZf0qj/oHEMFR8n5j8YD:CFvl0xivdBjATFR6jp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnndj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe

Executes dropped EXE 45 IoCs

pid	Process
2388	Fajbjh32.exe
2968	Hpfbcn32.exe
4120	Hhdcmp32.exe
2928	Hpmhdmea.exe
1460	Hihibbjo.exe
3512	Ipkdek32.exe
3256	Iehmmb32.exe
2516	Jhifomdj.exe
5084	Jikoopij.exe
4584	Jbepme32.exe
1392	Khbiello.exe
3648	Kheekkjl.exe
3328	Kifojnol.exe
1448	Kpccmhdg.exe
3664	Lcclncbh.exe
2312	Lhqefjpo.exe
3348	Laiipofp.exe
1516	Legben32.exe
848	Ljdkll32.exe
664	Mhjhmhhd.exe
3052	Mofmobmo.exe
4504	Mlljnf32.exe
1964	Mhckcgpj.exe
1696	Nqoloc32.exe
3668	Nimmifgo.exe
1484	Ncbafoge.exe
3540	Ojqcnhkl.exe
2240	Ocihgnam.exe
800	Ockdmmoj.exe
4484	Pqbala32.exe
2260	Pbekii32.exe
4356	Pidlqb32.exe
5064	Pciqnk32.exe
1052	Acqgojmb.exe
3864	Amikgpcc.exe
1400	Amnebo32.exe
3380	Apnndj32.exe
3740	Bdapehop.exe
680	Bmladm32.exe
4228	Bdeiqgkj.exe
3952	Cgiohbfi.exe
4808	Cancekeo.exe
1864	Cgklmacf.exe
456	Cmedjl32.exe
4132	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lhqefjpo.exe
File opened for modification	C:\Windows\SysWOW64\Nqoloc32.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Ncbafoge.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Lcclncbh.exe	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Chgnfq32.dll	Lcclncbh.exe
File created	C:\Windows\SysWOW64\Mlljnf32.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Kifojnol.exe	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Anlkecaj.dll	Pqbala32.exe
File opened for modification	C:\Windows\SysWOW64\Pidlqb32.exe	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Jbepme32.exe	Jikoopij.exe
File opened for modification	C:\Windows\SysWOW64\Acqgojmb.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Pninea32.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Defgao32.dll	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Goniok32.dll	Hihibbjo.exe
File opened for modification	C:\Windows\SysWOW64\Kpccmhdg.exe	Kifojnol.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Cgiohbfi.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Ljdkll32.exe	Legben32.exe
File created	C:\Windows\SysWOW64\Acqgojmb.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Mnhgglaj.dll	Amnebo32.exe
File created	C:\Windows\SysWOW64\Boplohfa.dll	Apnndj32.exe
File created	C:\Windows\SysWOW64\Legben32.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Mhjhmhhd.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Mhckcgpj.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Amikgpcc.exe	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Qglobbdg.dll	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Lcckiibj.dll	Amikgpcc.exe
File created	C:\Windows\SysWOW64\Hpceplkl.dll	Hpmhdmea.exe
File created	C:\Windows\SysWOW64\Hfibla32.dll	Iehmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Lhqefjpo.exe	Lcclncbh.exe
File opened for modification	C:\Windows\SysWOW64\Hhdcmp32.exe	Hpfbcn32.exe
File created	C:\Windows\SysWOW64\Inclga32.dll	Hpfbcn32.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Amikgpcc.exe	Acqgojmb.exe
File opened for modification	C:\Windows\SysWOW64\Apnndj32.exe	Amnebo32.exe
File created	C:\Windows\SysWOW64\Iehmmb32.exe	Ipkdek32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Aaeidf32.dll	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Kebkgjkg.dll	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Jikoopij.exe	Jhifomdj.exe
File created	C:\Windows\SysWOW64\Apnndj32.exe	Amnebo32.exe
File created	C:\Windows\SysWOW64\Gcilohid.dll	Pidlqb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lhqefjpo.exe
File opened for modification	C:\Windows\SysWOW64\Nimmifgo.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Khbiello.exe	Jbepme32.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Bdapehop.exe	Apnndj32.exe
File created	C:\Windows\SysWOW64\Ipkdek32.exe	Hihibbjo.exe
File opened for modification	C:\Windows\SysWOW64\Ipkdek32.exe	Hihibbjo.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmmoj.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pidlqb32.exe	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Cgiohbfi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4084	4132	WerFault.exe	135

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll"	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll"	Kpccmhdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdbcaok.dll"	Khbiello.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbmgdb.dll"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpceplkl.dll"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll"	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihice32.dll"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipkdek32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2388	3852	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe	91
PID 3852 wrote to memory of 2388	3852	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe	91
PID 3852 wrote to memory of 2388	3852	05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe	91
PID 2388 wrote to memory of 2968	2388	Fajbjh32.exe	92
PID 2388 wrote to memory of 2968	2388	Fajbjh32.exe	92
PID 2388 wrote to memory of 2968	2388	Fajbjh32.exe	92
PID 2968 wrote to memory of 4120	2968	Hpfbcn32.exe	93
PID 2968 wrote to memory of 4120	2968	Hpfbcn32.exe	93
PID 2968 wrote to memory of 4120	2968	Hpfbcn32.exe	93
PID 4120 wrote to memory of 2928	4120	Hhdcmp32.exe	94
PID 4120 wrote to memory of 2928	4120	Hhdcmp32.exe	94
PID 4120 wrote to memory of 2928	4120	Hhdcmp32.exe	94
PID 2928 wrote to memory of 1460	2928	Hpmhdmea.exe	95
PID 2928 wrote to memory of 1460	2928	Hpmhdmea.exe	95
PID 2928 wrote to memory of 1460	2928	Hpmhdmea.exe	95
PID 1460 wrote to memory of 3512	1460	Hihibbjo.exe	96
PID 1460 wrote to memory of 3512	1460	Hihibbjo.exe	96
PID 1460 wrote to memory of 3512	1460	Hihibbjo.exe	96
PID 3512 wrote to memory of 3256	3512	Ipkdek32.exe	97
PID 3512 wrote to memory of 3256	3512	Ipkdek32.exe	97
PID 3512 wrote to memory of 3256	3512	Ipkdek32.exe	97
PID 3256 wrote to memory of 2516	3256	Iehmmb32.exe	98
PID 3256 wrote to memory of 2516	3256	Iehmmb32.exe	98
PID 3256 wrote to memory of 2516	3256	Iehmmb32.exe	98
PID 2516 wrote to memory of 5084	2516	Jhifomdj.exe	99
PID 2516 wrote to memory of 5084	2516	Jhifomdj.exe	99
PID 2516 wrote to memory of 5084	2516	Jhifomdj.exe	99
PID 5084 wrote to memory of 4584	5084	Jikoopij.exe	100
PID 5084 wrote to memory of 4584	5084	Jikoopij.exe	100
PID 5084 wrote to memory of 4584	5084	Jikoopij.exe	100
PID 4584 wrote to memory of 1392	4584	Jbepme32.exe	101
PID 4584 wrote to memory of 1392	4584	Jbepme32.exe	101
PID 4584 wrote to memory of 1392	4584	Jbepme32.exe	101
PID 1392 wrote to memory of 3648	1392	Khbiello.exe	102
PID 1392 wrote to memory of 3648	1392	Khbiello.exe	102
PID 1392 wrote to memory of 3648	1392	Khbiello.exe	102
PID 3648 wrote to memory of 3328	3648	Kheekkjl.exe	103
PID 3648 wrote to memory of 3328	3648	Kheekkjl.exe	103
PID 3648 wrote to memory of 3328	3648	Kheekkjl.exe	103
PID 3328 wrote to memory of 1448	3328	Kifojnol.exe	104
PID 3328 wrote to memory of 1448	3328	Kifojnol.exe	104
PID 3328 wrote to memory of 1448	3328	Kifojnol.exe	104
PID 1448 wrote to memory of 3664	1448	Kpccmhdg.exe	105
PID 1448 wrote to memory of 3664	1448	Kpccmhdg.exe	105
PID 1448 wrote to memory of 3664	1448	Kpccmhdg.exe	105
PID 3664 wrote to memory of 2312	3664	Lcclncbh.exe	106
PID 3664 wrote to memory of 2312	3664	Lcclncbh.exe	106
PID 3664 wrote to memory of 2312	3664	Lcclncbh.exe	106
PID 2312 wrote to memory of 3348	2312	Lhqefjpo.exe	107
PID 2312 wrote to memory of 3348	2312	Lhqefjpo.exe	107
PID 2312 wrote to memory of 3348	2312	Lhqefjpo.exe	107
PID 3348 wrote to memory of 1516	3348	Laiipofp.exe	108
PID 3348 wrote to memory of 1516	3348	Laiipofp.exe	108
PID 3348 wrote to memory of 1516	3348	Laiipofp.exe	108
PID 1516 wrote to memory of 848	1516	Legben32.exe	109
PID 1516 wrote to memory of 848	1516	Legben32.exe	109
PID 1516 wrote to memory of 848	1516	Legben32.exe	109
PID 848 wrote to memory of 664	848	Ljdkll32.exe	110
PID 848 wrote to memory of 664	848	Ljdkll32.exe	110
PID 848 wrote to memory of 664	848	Ljdkll32.exe	110
PID 664 wrote to memory of 3052	664	Mhjhmhhd.exe	111
PID 664 wrote to memory of 3052	664	Mhjhmhhd.exe	111
PID 664 wrote to memory of 3052	664	Mhjhmhhd.exe	111
PID 3052 wrote to memory of 4504	3052	Mofmobmo.exe	112

C:\Users\Admin\AppData\Local\Temp\05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\05931dbc01d29a73eb602e5ae0a2ee40_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\Fajbjh32.exe
  C:\Windows\system32\Fajbjh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\Hpfbcn32.exe
    C:\Windows\system32\Hpfbcn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Hhdcmp32.exe
      C:\Windows\system32\Hhdcmp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        46⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 240
        47⤵
        Program crash
        
        PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4132 -ip 4132
1⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmladm32.exe

Filesize
100KB

MD5
a9b08ec4f560bc1fb484548560c5a720

SHA1
a10b79d8c51b6f292862347ae25a5c0b9f0823f3

SHA256
467995e3e18a5ea18e84630a6ea7896991de1fc2c08f6c56acfe9b7461be42cf

SHA512
785f1a22e22f4984f43d1d5bc16d4c49b7cfa61233ae27392adb884bf08465c62997dd59a79971466d96ead9d556dfe2f891aa8e8a783c709f7161fba0fd73d9

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
100KB

MD5
f2aca8873e51780b562d35069bcf1eec

SHA1
8dade1d1706071e8c3841e1408e8ae3a0f41489c

SHA256
eab2ba0d5591901331576c1fde76eb1faeec83e4f8240d379c22231691647e66

SHA512
bdd942b2da6007b4567102cfd9c3d23cc428d9b4eaef619df295118e6865c12cb66318337e6f99b3269ac2ed9bf6f553b35a7c8b18905f8eab9b7aee4586ea94

Download Submit
C:\Windows\SysWOW64\Fajbjh32.exe

Filesize
100KB

MD5
4e44710c1db6952fad0bbc32c12d5b8b

SHA1
877741153cb6ae5fddda357ddb74d9637878ef7a

SHA256
c33dbd9a3fa8f699017905b141a5e229f6405b311942ddafcbfd773f194e76a8

SHA512
3cdaed780838e9d65edb98b4179c990cee480137e6c8b23a72d901b5e33ccca39898df17b1339b6a907248441972cf5f0e1bbb610f993355a96db9178f42cf06

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
100KB

MD5
895175d68834e4656e9da7286a032fb7

SHA1
6068a9b0200b92aeb0f9e9370e23d3238c256659

SHA256
784a8bc84d164b67b3b228d708488fc9bb2b6c90cffed9e3714e239b1053a713

SHA512
6a1cba1707cf3e7b3fd7f43fb906b33e7461ab4509e5d335a634d4afc4eca288fbd6be7c1a5179d870860507340bcc1105a9adcaaf507cb75db153c5fb08d931

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
100KB

MD5
e2b68740c162327c0a833c2304103866

SHA1
5a3781808de5ad70153b7e1f04567e6f1c4f81ed

SHA256
1ebf66368c15877baf655fe79b10c12858b1a6c13c78a2a8cac142f1099ea62d

SHA512
f809a966d0d3af3bb07feb62d8784543c27acad1fa6b092318e7797051763b985fa956b0a430f2fa120dffe6523cf037f79e7fa97ca7af7836da5e6d9c2e8401

Download Submit
C:\Windows\SysWOW64\Hpceplkl.dll

Filesize
7KB

MD5
f6fba7c83761b9b0f2720df666b6900b

SHA1
3321375dadfb5a5bd69f55f13cfd7e18c979ba54

SHA256
6649bb36b5f9580e1b7699655c766ca029c39cf300718ec5579a2d184292215b

SHA512
051d4ba4017dcc4123ea63e334cfa4bdeb1c2bc9933f6a52f36d1e7d2b3d7c80710eb689539db81eb7e96f44b23016521addd1eeab93ddf15143a236d8d9d57e

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
100KB

MD5
fb719ca2d141bd0c2ca4ad2429274765

SHA1
7ee177b786a420b391e6939d936f67e9554b5c53

SHA256
f547ecdec4861a6518c5d7487937aae04312ea0f9805c56ca7d123bb29fb833a

SHA512
a291fed97ed757e1a7e7f4183c84ac8d43f8c170886dafe28d37761ad6312281006ef614cb2ebc8b7f81c0f38fab59f2fb0e857d92049fc0a3a3d29bcd35edef

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
100KB

MD5
d203a598cbd8d98e54caf99310ac99b2

SHA1
30f895d3df59d123770e7cd86e480ef212734462

SHA256
49e9127ec85659c02d4bcf8122eafe227816808f9747bd96e50cf9d1d859a7f3

SHA512
6ee91be3f64a0d70909434f4d9dbf4bf261971d8998bee0995b0b20d8137fefb055dc9eddcb9186af4b98944d94132a7dfb3b16371caef0d1c6441e31e3825f7

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
100KB

MD5
18ad9f641ab480159b95553ce6ee660c

SHA1
5a1c6d41531c99f1a1ab5dbc5bfbac86ef4ba149

SHA256
997a02272673dcd9d7c607957642802bb9ebdefb73838f76f36964750f5d6ea4

SHA512
166b0edc478773e2df39a06cbfbce35597095f1129b6a2da73fcb1a35db8a848987aa87d7dff308149e2a11e638d53184bf78b656e96ec2366303955b772fc0d

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
100KB

MD5
c2ebde8a800329a1dea297e564ed3cd3

SHA1
632cb4f0d6ddf52be3be1ae488167927d76b3fc2

SHA256
e0ff06918b358140fb39746eaa14351b24cab3783a18e74a1b47da2dccccd66c

SHA512
6672c3dd6f01d8a9b8eaac4923e4ee7aaca645241e3579726be2bf276f6aa209617286264f61873cd0baa2cf52588f0f577260a691d47c2d7d648807c430db81

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
100KB

MD5
40940ada23799d7a9c5dc859e74a1bc0

SHA1
c10796fa7b1d1fde9380a08ecb0015c715eec37a

SHA256
83bd6c83e71dab62ac4de6729f04b989b830b0f42fde19f238848ad5d0ef428f

SHA512
8a8b4847586958504427d5ad7235cbc23ed9fcc762e29ea6edcf1cdf08ef7d4615c0ef3042478d6028aa847b61522f5313621435ee8affce2b22ddbbfb109188

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
100KB

MD5
109076afdd6cf74cb553c5027bcad77e

SHA1
8b47382dcfc7677307b2840bc44e69e3d07c726f

SHA256
58c43b963e2678401cd33de5aad37fc869a90634ec0ec788ac55995f99774a83

SHA512
306c84d18ad6c97158953488f72194907bc0ab10eae61e2924f3e3c1c6b6e8b8b2c5bb0a4fa9532f9f9566b71346aead84177a168e6af9fb52342a527a2e8a98

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
100KB

MD5
afb2ae6fef02e539a36aaa5aba8c9e37

SHA1
0fb5b075d3b62c5105e58b51a68e4f4afa6b947c

SHA256
b3ce530e7efe8087aa4ca7839f80b8e4a2f8bcd08495792f890e0da7c1584b1a

SHA512
982998da4e16f80ffb5818f57218691b8f516a6e7572213f719ea9954adc7e5d5b2b79becbcf8589c3039338d304793c8d49575d7ecbe48a30a04f4488e34abf

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
100KB

MD5
4fce2324d397e4c9d0132e5b5e984285

SHA1
ca9bbfa5f0101f76379e94541e5a8dc578d893c3

SHA256
fb126695a0a6a30a3af83970bff90f122e008954f0431ab2d093c7397c219971

SHA512
522b29b6c7aab707b480602a69c1d1414db3d7077532045720dc1d9e811904851f8ad77766200e79c968d7cdf3972d04eb27eed6d92bbd0bbe61a400bdc595f6

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
100KB

MD5
2452808db4e1d95afd6ec8d70c476eff

SHA1
b0b57291c4ef069beb70343ba458591317e8beb2

SHA256
60061f69bbaca6d1a60befb51ecdc9eead89eb838cb8bd332aaad499a1179dd9

SHA512
af020163ad3ac39f13cbafc8035f2494b22d8714ee9ca84dd7a62ee069f650a8e63fab9fbd4ad1d9d013de4fe891e0bbd7bb640ab4c7d04e316a42e0b2f955ef

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
100KB

MD5
e207e79fda982191c250d05b2c6af35f

SHA1
911abeca92c6ee41fb7e7a8cc0a5eb9f18fe33e4

SHA256
6080efdb3328720fc48cf5694d734ba486aa9f40f6ac821ef22418bc8028665c

SHA512
df61819d7230f430a3ac856cf843a071afde8054f19592673c785ecc56863d078309e8d2d3801cf4bd34dec0cd1bbe2f27243e3f7f0031f065b22d61e3afe219

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
100KB

MD5
fc8ae395c1fb2dd3e255e527aad09751

SHA1
3019d587b67c598fbccf5c41546519f865a1daff

SHA256
b5edf78b18bc77898f7525b156b8a96fbe3a9d846936ccde7ad7319996bc845f

SHA512
3077c9de8aecc9be795c3b4d7ebcceaebd5373ff5d90827c5e1928f5e12b30112bbee97c8e1c097e2c65219f14eba64f9316161cacd115f3db6efc91f38fc9ed

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
100KB

MD5
7830ab6bc0647172d1c236025a00dfbf

SHA1
7d5bb8f5868fbfcd7bf2576fb8595c6242f9d3fc

SHA256
89619242bfac8346768e036d268c401c0b216dea975a4b82503b6e920549b6d4

SHA512
bb71ab021584caaecbf5eb14f9a7fcc0057c564d68ed9e758185dd9ba84de6070600b9de2c73771332fd63df07f55d49dd6c3269baefb67048ffadc5a55c1410

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
100KB

MD5
ead841a019b9b09a8fb6a7932b96644e

SHA1
7bb87952f5805343f340cecf6631a7561d91762f

SHA256
614e883f1dae643a0159b341a55971a0b12b8d09e75c5040ee5b5d0c10d1032c

SHA512
c080f7a8d3ba03b375d33a84b33e256d7c3052de479c810105917fa1cfd859d3348cab563f40071a8b280f5cea0c34aa3af6ed7ad4d795514d9a62abce3a9c59

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
100KB

MD5
0014fb65cdb5e980b8c75bbb571943da

SHA1
7f35d2fff1e96adbbeb622038efac17dd046e935

SHA256
5f6f931847dff6a87a475dcdd2e9205f7ac8958ebeaabcf4c139984e073a075d

SHA512
b68d4b8c27a3aa63879d1d72ffbb960a266123d7e81ea9332b8da03f7e1158aa1fe15ecf8c8bbb94509b571c10646fd5987500b349630407a28860ab8a96a1d7

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
100KB

MD5
08fa5e9b88539cabcc65666f1da240b3

SHA1
692fd5d1d67a49fc7ae5e42bb25e09a14bf97227

SHA256
ade3ae11d57e0e7cbba8dfe227f239c8908ff12370ee746a45e6e30f302b03bd

SHA512
a76e6d3509c38bd6bde294d24f9bbfd4bb42f987883da968fc42728b45121ac77c80ff992a06cc73876d5ced8f293a3817130fcc5e23dac5b0c325073266726e

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
100KB

MD5
fac50cb0de0bd4d3ec94de12834af43a

SHA1
89520bcd5352606d684200373d8b13de376a8652

SHA256
8c61edb76680700df8428e9a3134f951c5ca4222585e98b59d9f8dbc55989240

SHA512
5881abec28f0f3ed41f1dbe3d2cba6bd66c903a9ce6b8b98d2a38a1bf869f349bac73d6cd7c5397d54d3c2580a0db99eacd9549efbcef0d073db0eb23d323ae1

Download Submit
C:\Windows\SysWOW64\Lcclncbh.exe

Filesize
100KB

MD5
d26b2a9b5f1b28751119cf1a64d8cf69

SHA1
efc4a517232d1d96029ae5ffb2467924fdfdeb86

SHA256
69e4411d974ad0e8c8b3f17ef6e19dca950768b592c869b02062237620ef420f

SHA512
d2a2cb215672b1b839dee9af754d42aa2ac252675394628f71eb9944950dbd4d70c159fc10fd1a0e0c7a6de64fac79b477a85466b734a65ddea18f38aab3f144

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
100KB

MD5
032a0c7dec84d7e4fd38b25cd86ad828

SHA1
37157f8cf99023a98ee768c9640826c70524b2d5

SHA256
cfd85b9bd5153be7e38b85dd4299b050d9748a08d527874e17a81f8cfbb66b5f

SHA512
fdeea624db8bdeef9609c86de3b16ff033d4d8cecd602eb8255940c16140a836a21fc44dd6f72f9820dbf91b1f0cabc891f6dee30b29f8462f0b641b6b8f29d9

Download Submit
C:\Windows\SysWOW64\Lhqefjpo.exe

Filesize
100KB

MD5
480e684d8d844da064b46650a229313b

SHA1
41b26f90e4814ec12ac193a47ebdea7784b5715c

SHA256
b81296f9555f2131b143afed231a604e03285cdc57fd504d3539a4c8009f086d

SHA512
c45e559de658e2d59e7efaa3a80acc74247e682f73ee100a37096023727630afed4feda57527b33e9abc5d030038b6bc6c332ad24575596468ac750e06e637c9

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
100KB

MD5
8ec30111f1f64e802870e81db3ee52df

SHA1
7792363bbbde50c979e8b71626f0c38e41aceef0

SHA256
f8096f12d8e863d4bfc1cf2d5b491423fa7b87431321694570ad628ee1cfebdb

SHA512
64a730990655a18a1cdec45330f1ba56b5bfe328d997354bc1947cf5df3e21bd83ae50feb349c3bdea269b0f28496aae036aaa6bf1a88c0bf1a3228ec6209120

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
100KB

MD5
d3bb315eda20ee51bd902fde1b933efd

SHA1
4c7256a0be354e02399bf2dad34b0eb30845b33a

SHA256
0904e946fc2708dc01f7aa4b493999a6c3d71cd4c5509f62a2ce0a3b0033fc48

SHA512
3ba907ba54afdc5059c31fe9bbffb2e72a445a1ff250dac0f51526d55231e6c960ce8b40aeb10d173ab5731536cf4152e3880d13c038f0b581f79e226569ecfd

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
100KB

MD5
148bb4716810a014a36ce388f628f0fb

SHA1
73a3ceb9da55320e97588ef46da21838326a01e0

SHA256
f265181c86acdc7ad36e86153a6965a97ffaf81e69e76c56ac3a982cc0265b92

SHA512
2600b6ac495931e1738b5242c920a37010262099701809a2cc7ccd92e31ccc61ac318468fd94d53283cd2e2a9052a186446751c2e14065287982caec2fb832db

Download Submit
C:\Windows\SysWOW64\Mlljnf32.exe

Filesize
100KB

MD5
7f0a0806e19cdf3e46d431483ab51510

SHA1
f2d3cd6dc595760b321e3b8d3ace1b07a3d41afc

SHA256
73a3306e39eba529d0953941af3962278b5c16d17b5960eff410cfd5383d665a

SHA512
7a4229547ed41b051368608ac33056fff7e35a1100f2fbfdbde0c881053459fcf6a60b0c94a59532ff1ac5ca6c6a71661478adad9cc3737a0f99b44774188283

Download Submit
C:\Windows\SysWOW64\Mlljnf32.exe

Filesize
100KB

MD5
eb206583c0ee525cc93a7def202b55c1

SHA1
f69b96e3d2712666b79fae868323c0ee1edb8442

SHA256
99b14e63b93a43dd2f968f2621da20c14f362d9c43f3d3c5a910694dfc038ccb

SHA512
faed127f1aff5284818008f931d3d7d3e94056e29b28d99963bd3b1f06273ecc843581fad83b02d91a36abfac36047f594c133b865d1b0af2b1174db61bd1bc4

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
100KB

MD5
7e6e90f6b3fec7a632cc3f22c3521946

SHA1
ed7a51b48a0c58b065d93ff8dd59755d9de18ebb

SHA256
5e7ff27b960851e9b809a18790dba6622a14f395d318ad27fc650154c9068c82

SHA512
7ba9d6fc39f5f14e3b3621538312cdafd25837b28cf17bca86c0352e91c790a14e7f4d9c0160269f9c7838cc7b701d05b508fbe7cc9066e98b423671dfad0696

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
100KB

MD5
420eb72f49d122a8a164d6f6aa88bf0e

SHA1
1951bdc766fbf50a24e4f9cdd0548bdc3381aacd

SHA256
a7892e2ce38d8d29a2be794cbe4ac1c19a95d66f5cda276ff1dda17a2daa274d

SHA512
3d519967eb572208c6f055c2724fd2cf85efa748983296f86b1a195c99c3dde6f69c2d8b802b153878e8b860c1929af6a822fabfe0fcee25b8656f5411a1ce91

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
100KB

MD5
503992290f50b6c03d483e1726d5f8be

SHA1
6addd71252acbc29acbc2a8814a16044da6af2ea

SHA256
53d52eb951b2e3943f4269891663c5a5b293a47de7f508596db015b993ce6b06

SHA512
b87c3e2591b1b11ced5be9f2ea1861b0961d098b3cbb542abdc38c16946f9cf0f811a177e73995d0a61c465cc902d285ec83a887646ccbd68da5be9fb42355e8

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
100KB

MD5
aab74a40b096ee7851e2ecd45a942d02

SHA1
803244aea2985b7e01653f47df4a717322ccce75

SHA256
5ab086cd62c3b4f7154c2cce442011c9a75a297233c3a063fb2a5bbd5e1a9e59

SHA512
eab7f5ead700f82794173e6f05725b75c0f69ffea823dc03063f85545d7d92e7ecc2633ce661a4a30a3ed04dff9c1b5d327a854b2cd66a42cde3434d3d8d6940

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
100KB

MD5
d8cc29a713249bb9d566bc8b101b8900

SHA1
ddf2c151bc5aa0e503bb122b58c52f38d3be46e1

SHA256
d8b94f688b33f009e2adf1520c90c4b1d93d9d9c5c3e5f9d3b8675e0beb2814c

SHA512
7d548a40faaeb86f968ce6191010913535e7cb2ea940a4c558cf2105e2b467b6a692c1d425c672fc99e00bc7ccd0fddfb23ff150a4e98a9125a6b9d1ae875628

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
100KB

MD5
b77b86b73a2bc78af969132d7401561c

SHA1
195255a2145b925673541cefc923d2d064b6ed49

SHA256
9454b35b02d4b11b2f7e3c933f4383946d33a449299b69cfd6d6d131b08a4476

SHA512
4cf3b70492fb4bc64700b74312b46ee83ffdf11cbf98d2d9cf8a43d3964be3912313f07366a89fee250e1db7822cb56c414e3b2e7efeccbc1c89a94f5bbeb48d

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
100KB

MD5
6f5417c5f32b29035a15a7ec32965ca3

SHA1
940d3247e70b1c60930fe9c273000c88c88fc9c3

SHA256
3f37e0dfe568f7daf48c5ae3c000a501f445a2693c37e2fa0fbf2e3a76215d9d

SHA512
35189b89472af6c9b670d7f18919d2736a23cdcadffeb1aeee3249e69e90eb0e719abe8c757a5e27b34556309815121415c173c07da8ac56da882a415e43e9d4

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
100KB

MD5
e5e7ac83f3ba8f5575fa7a9e9a027f3c

SHA1
eede112fc4a3f8c4b47bd5e6928ff0052057b3a7

SHA256
cec2718ab6c6fec83c5456a93f45ab5afb70fb655b2a3a3262f6621876486a33

SHA512
df18e6a0d0ff7a5ac85ebf5fa6a0482293faf0c833b5f7ac652ead242ac2588f6909b79aabe271e2e881bcc59f80e096bb6a1605b637d1f7eda5ed2c387a0ebc

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
100KB

MD5
1e52996d137e744dfa1fe6b00a03a32c

SHA1
8799252b0e6b1f073f9c0f00ef0bd9688e0f39a8

SHA256
c1a083210ba6bff0a99044d54203ae8ceaaf813b6516449b76508938f3b451aa

SHA512
8778bd5035d33212629e18c5a6624ae57c4bed7d1a52f1a5c5faf83aa6c64f13d0b583d2fdf51885abf8c7e06afcbe0dc0943210c8b903cce4cf0d516eaa8fce

Download Submit
C:\Windows\SysWOW64\Pidlqb32.exe

Filesize
100KB

MD5
7d0edbec7b8771e1ec3f5d4a30b55c86

SHA1
3a76f367322dacbd739cdc8091bd571daf5b79a0

SHA256
9d0bb1cd8b819a7a32217cc536d48cedecba94ea116a3ae4e655d10b1f671b45

SHA512
639fdbec5e3e7487b02d4dcd3406de899e67672ebe1b320032f75c42831ba2505d54ec3271b6de89d5106cfbed6cc5f4988610e7e5a98df00ee1d5d2de27371f

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
100KB

MD5
c8a74cc4ef42472d762cd276f5300705

SHA1
085971090637291df00dbb845ba7406f9401d318

SHA256
513fb4c0f93b22e0a24f866e05c15d3fc2b55f2a5baa024e7b3b9fd1205e1960

SHA512
695f7c51077c0b0bbbecac665f146da04adf0defc4cbde8a5e6a7c9b3ce670f60e4b20d57cd0e078318af344ed212b64ad41af9648a42761049b61934edc3e0a

Download Submit
memory/456-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/680-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/680-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/800-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/800-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/848-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/848-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1052-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1052-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2928-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2928-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2968-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2968-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3348-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3348-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3380-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3380-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4120-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4120-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4228-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4228-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads