485bce19d935cf6f4b5d974676fe63e8543e69faae42dd5af0be3aae9a4fe610

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Size

444KB
MD5

436c4e47b043342c2a862269dfb5f0c0
SHA1

35bb69fefaf03000261d88f708df4254967d6590
SHA256

485bce19d935cf6f4b5d974676fe63e8543e69faae42dd5af0be3aae9a4fe610
SHA512

d935e6286eaeaca682dc71aaa7f5018438c365d0026f5a9744887e8d4261f0dba6cf78f9e8db7d100d5432e5ac3e419ac12b05d1628cd368b74874f2ad4db222
SSDEEP

12288:/vwbWGRdA6sQhPbWGRdA6sQCkbWGRdA6sQhPbWGRdA6sQ:Xwvhv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlifnphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkhbbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlifnphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkapelka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedmkmp.exe

Executes dropped EXE 49 IoCs

pid	Process
4696	Fganqbgg.exe
3280	Kolabf32.exe
116	Lplfcf32.exe
3692	Mbdiknlb.exe
4496	Nbphglbe.exe
4996	Oiccje32.exe
2268	Oqoefand.exe
1900	Pbekii32.exe
1648	Qpbnhl32.exe
4604	Cdmoafdb.exe
4908	Dpmcmf32.exe
4176	Ecdbop32.exe
4556	Egbken32.exe
2908	Fclhpo32.exe
2388	Fcpakn32.exe
1560	Fnjocf32.exe
4572	Gkcigjel.exe
1724	Gkhbbi32.exe
4588	Hcedmkmp.exe
3308	Hjaioe32.exe
3684	Ibnjkbog.exe
4420	Ibbcfa32.exe
4168	Ihaidhgf.exe
4984	Jjdokb32.exe
3620	Jdopjh32.exe
1576	Jjnaaa32.exe
2452	Kajfdk32.exe
2032	Kaopoj32.exe
4512	Lklnconj.exe
892	Ledoegkm.exe
3488	Lhdggb32.exe
1664	Mcoepkdo.exe
4028	Mlifnphl.exe
3540	Mhpgca32.exe
3784	Nkapelka.exe
1548	Ndlacapp.exe
3164	Nhjjip32.exe
3792	Nfnjbdep.exe
2440	Ncaklhdi.exe
1368	Oomelheh.exe
3744	Omcbkl32.exe
2180	Pcpgmf32.exe
564	Pmhkflnj.exe
4136	Pecpknke.exe
1308	Pbgqdb32.exe
4396	Pfeijqqe.exe
2996	Qfgfpp32.exe
440	Qbngeadf.exe
1700	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedmkmp.exe	Gkhbbi32.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mlifnphl.exe	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Pmhkflnj.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Nhbjnc32.dll	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Hcedmkmp.exe	Gkhbbi32.exe
File created	C:\Windows\SysWOW64\Alinebli.dll	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Cfioldni.dll	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Ncaklhdi.exe	Nfnjbdep.exe
File created	C:\Windows\SysWOW64\Fganqbgg.exe	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ehfomc32.dll	Fganqbgg.exe
File created	C:\Windows\SysWOW64\Hgpchp32.dll	Hjaioe32.exe
File created	C:\Windows\SysWOW64\Jjnaaa32.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Kknikplo.dll	Ibbcfa32.exe
File created	C:\Windows\SysWOW64\Lhdggb32.exe	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Nfnjbdep.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Ckcdlpbd.dll	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mbdiknlb.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Oiccje32.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Egbken32.exe
File opened for modification	C:\Windows\SysWOW64\Ibbcfa32.exe	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Nfnjbdep.exe	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Jbjabqbh.dll	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pbgqdb32.exe
File created	C:\Windows\SysWOW64\Hjcakafa.dll	Kolabf32.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Jdopjh32.exe	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Gedkhf32.dll	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Fganqbgg.exe	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcoepkdo.exe	Lhdggb32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Ckmpakdh.dll	Nkapelka.exe
File created	C:\Windows\SysWOW64\Pjhfcm32.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Fdaleh32.dll	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Nhjjip32.exe	Ndlacapp.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Nbphglbe.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Egbken32.exe
File created	C:\Windows\SysWOW64\Ipmgkhgl.dll	Jdopjh32.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kajfdk32.exe
File opened for modification	C:\Windows\SysWOW64\Mhpgca32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Lcoeiajc.dll	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Lplfcf32.exe	Kolabf32.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Egbken32.exe	Ecdbop32.exe
File opened for modification	C:\Windows\SysWOW64\Jdopjh32.exe	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Oahhgi32.dll	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Hjaioe32.exe	Hcedmkmp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjjmdm.dll"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfoceoni.dll"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijflc32.dll"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepbdodb.dll"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpchp32.dll"	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Kolabf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjaioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdenofm.dll"	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll"	Ibnjkbog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4696	4832	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe	91
PID 4832 wrote to memory of 4696	4832	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe	91
PID 4832 wrote to memory of 4696	4832	436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe	91
PID 4696 wrote to memory of 3280	4696	Fganqbgg.exe	92
PID 4696 wrote to memory of 3280	4696	Fganqbgg.exe	92
PID 4696 wrote to memory of 3280	4696	Fganqbgg.exe	92
PID 3280 wrote to memory of 116	3280	Kolabf32.exe	93
PID 3280 wrote to memory of 116	3280	Kolabf32.exe	93
PID 3280 wrote to memory of 116	3280	Kolabf32.exe	93
PID 116 wrote to memory of 3692	116	Lplfcf32.exe	94
PID 116 wrote to memory of 3692	116	Lplfcf32.exe	94
PID 116 wrote to memory of 3692	116	Lplfcf32.exe	94
PID 3692 wrote to memory of 4496	3692	Mbdiknlb.exe	95
PID 3692 wrote to memory of 4496	3692	Mbdiknlb.exe	95
PID 3692 wrote to memory of 4496	3692	Mbdiknlb.exe	95
PID 4496 wrote to memory of 4996	4496	Nbphglbe.exe	96
PID 4496 wrote to memory of 4996	4496	Nbphglbe.exe	96
PID 4496 wrote to memory of 4996	4496	Nbphglbe.exe	96
PID 4996 wrote to memory of 2268	4996	Oiccje32.exe	97
PID 4996 wrote to memory of 2268	4996	Oiccje32.exe	97
PID 4996 wrote to memory of 2268	4996	Oiccje32.exe	97
PID 2268 wrote to memory of 1900	2268	Oqoefand.exe	98
PID 2268 wrote to memory of 1900	2268	Oqoefand.exe	98
PID 2268 wrote to memory of 1900	2268	Oqoefand.exe	98
PID 1900 wrote to memory of 1648	1900	Pbekii32.exe	99
PID 1900 wrote to memory of 1648	1900	Pbekii32.exe	99
PID 1900 wrote to memory of 1648	1900	Pbekii32.exe	99
PID 1648 wrote to memory of 4604	1648	Qpbnhl32.exe	100
PID 1648 wrote to memory of 4604	1648	Qpbnhl32.exe	100
PID 1648 wrote to memory of 4604	1648	Qpbnhl32.exe	100
PID 4604 wrote to memory of 4908	4604	Cdmoafdb.exe	101
PID 4604 wrote to memory of 4908	4604	Cdmoafdb.exe	101
PID 4604 wrote to memory of 4908	4604	Cdmoafdb.exe	101
PID 4908 wrote to memory of 4176	4908	Dpmcmf32.exe	102
PID 4908 wrote to memory of 4176	4908	Dpmcmf32.exe	102
PID 4908 wrote to memory of 4176	4908	Dpmcmf32.exe	102
PID 4176 wrote to memory of 4556	4176	Ecdbop32.exe	103
PID 4176 wrote to memory of 4556	4176	Ecdbop32.exe	103
PID 4176 wrote to memory of 4556	4176	Ecdbop32.exe	103
PID 4556 wrote to memory of 2908	4556	Egbken32.exe	104
PID 4556 wrote to memory of 2908	4556	Egbken32.exe	104
PID 4556 wrote to memory of 2908	4556	Egbken32.exe	104
PID 2908 wrote to memory of 2388	2908	Fclhpo32.exe	105
PID 2908 wrote to memory of 2388	2908	Fclhpo32.exe	105
PID 2908 wrote to memory of 2388	2908	Fclhpo32.exe	105
PID 2388 wrote to memory of 1560	2388	Fcpakn32.exe	106
PID 2388 wrote to memory of 1560	2388	Fcpakn32.exe	106
PID 2388 wrote to memory of 1560	2388	Fcpakn32.exe	106
PID 1560 wrote to memory of 4572	1560	Fnjocf32.exe	107
PID 1560 wrote to memory of 4572	1560	Fnjocf32.exe	107
PID 1560 wrote to memory of 4572	1560	Fnjocf32.exe	107
PID 4572 wrote to memory of 1724	4572	Gkcigjel.exe	108
PID 4572 wrote to memory of 1724	4572	Gkcigjel.exe	108
PID 4572 wrote to memory of 1724	4572	Gkcigjel.exe	108
PID 1724 wrote to memory of 4588	1724	Gkhbbi32.exe	109
PID 1724 wrote to memory of 4588	1724	Gkhbbi32.exe	109
PID 1724 wrote to memory of 4588	1724	Gkhbbi32.exe	109
PID 4588 wrote to memory of 3308	4588	Hcedmkmp.exe	110
PID 4588 wrote to memory of 3308	4588	Hcedmkmp.exe	110
PID 4588 wrote to memory of 3308	4588	Hcedmkmp.exe	110
PID 3308 wrote to memory of 3684	3308	Hjaioe32.exe	111
PID 3308 wrote to memory of 3684	3308	Hjaioe32.exe	111
PID 3308 wrote to memory of 3684	3308	Hjaioe32.exe	111
PID 3684 wrote to memory of 4420	3684	Ibnjkbog.exe	112

C:\Users\Admin\AppData\Local\Temp\436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\Fganqbgg.exe
  C:\Windows\system32\Fganqbgg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\Kolabf32.exe
    C:\Windows\system32\Kolabf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\Lplfcf32.exe
      C:\Windows\system32\Lplfcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        50⤵
        Executes dropped EXE
        
        PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
444KB

MD5
81ff2e30b05c00e33443f6e0b151a3f2

SHA1
1f137be99c0520cbf3b9376309c3ab38c2f274c1

SHA256
385207cc381fc91ab4187beef0b32c9ea72a780183d104d001b7b0cc92d1dc0f

SHA512
531384b629733ff3d4b0d24944713aed108c45b77fa2708fd21ac4aef12be9f39cbb81199143a869616c4364ddd3ef1925d8419e51a24a55791157b284bee83e

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
444KB

MD5
18c740bbff835c065e18e9acda41cc26

SHA1
9d781240a8cc7148962e17360af900a6c2d7b09f

SHA256
9af72524620a878704ff58395c876caf2396b64ae0ad2ca8d4d57735e6ea78ed

SHA512
16947f57e4402a4cce5ccae0d1e6b8f7bd924716e29700fab58c7d02b925db0423f19b4e17660432c824715c63c83208c3176249167224580f33f4d891d5926a

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
444KB

MD5
4892dd98801e0f14db53b582c4182b91

SHA1
73e16c690394500ef41ed32c3fb372515ecb9b15

SHA256
faab3127b6144726406e0e785206548ba95c9904dab8f457afaebb389c00dcdb

SHA512
e57b96dfa353ec89b4ca9282c287b267ff85e3d519a48e68950d8add8b3b6cec0749f5820d66bb2aaa4f9973f725d243588da66532aeb7a0369492f0f9d20aaf

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
444KB

MD5
2141d3b0473558f9a80c30a32f7d6f99

SHA1
46a126a2e4397d1b103e8b0ca78f7c88d506b538

SHA256
d991cd60bb81b6ecf3b3adc880f4dc2f288d5ae10a175f3c318d3aa31f19c75b

SHA512
b98a58d6e76826f434439237b14434145a4cca4b650a5b27b11198b8cc26454b7187560ba51fc2987cfa77729e060e194524f7ce1d332fe13a4616ec04096c90

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
444KB

MD5
5509ab15454189c7c3e63c7b7e8b21f2

SHA1
d7c28207ed276625c3ef0bfcbdf354ae0e0fa2e1

SHA256
1db5fc1c5b82088a71b0c0fb0b0f6572bf2a67a50483386343f0f8ad846c7f80

SHA512
d77d1c3c7a1851c2db5e7e43730d6ea8c8598ae14c7e25a04c763134ac39cb5a6c6c656fb1b5393fc82657b9b9aec268c65535de7eb73760568b13ec470533df

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
444KB

MD5
8541a22553b204f2e2a98ccbebe8e41d

SHA1
aa5722e2260542b86a47d19339a718f86d7e34e5

SHA256
bf1fc9e050a2c01ad15d8a0d92a5406e1ef24fb96bc42f7e8b739d87c17155ec

SHA512
801aef6fbbe2e70410b24734419cb690917c718d797205a0aff19c1ac5b722424f9c2c8ac35ba98efcfc2dbc648b1bdb740ed68f32e0fe69443b23134326db59

Download Submit
C:\Windows\SysWOW64\Fganqbgg.exe

Filesize
444KB

MD5
9556839ce54f108d5e86d1211e8318a9

SHA1
575f5b46945c5a5feeac06400185a1eabb4391fc

SHA256
87ddbd69807e842a1cfe98aca7fafbf9a55871cfca7359e35a6d7ce83f6e43fd

SHA512
ee5def423fd67e0adf7f4afbbb94335f5b5f01e705de147682e77988b1f8003e6fe14335ea59fee9232dea9031a13d0d387ea204104462e20a14c0c7639f66c0

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
444KB

MD5
590147ce7050d460c23be8d3e8c7c01f

SHA1
39e0ab30afd5da48d2862b4776b4fd0e4dee2c0e

SHA256
2601d55c4a296e563350271cc2bfae9dda45551b5510cbe276cc61d17df63b1b

SHA512
a58b6822963a0f3a12acd2a27068eb8ff564046301e925f79b2920c6c6e6eeecd7cc1e219b6e3f4ae7ea9319c9b713109d89cdbd55ea96682a233117cea288a5

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
444KB

MD5
a7b05090935b594e3ee9ca3fd804e713

SHA1
dc1f146c13b2f6331aa81eff05910d9ae725e6ac

SHA256
89d4c8e33bf9958b53f8a3d8fe34fad0cafd264e0b5535f71320473461f3acad

SHA512
5947107cab70038be9e1b845b84cd9071c3f0846ba5632c448b727c2739e18197b1700cdaaa63b9ccccd465887e25443983de679289a00a2fe810d4f7d19ed0c

Download Submit
C:\Windows\SysWOW64\Gkhbbi32.exe

Filesize
444KB

MD5
ff37869e86c7d3292959ace60d424c45

SHA1
64705a013ad88e8180abac1819d906d3520575fc

SHA256
c11053cc85344196ff6cacaa441163dece5e266bed5dd1fbaf2655670755f0b2

SHA512
d61030b282ea6ce792bbc46d4abcac01d0dde09a02ebc9a9037a9f7dcbea47fa3020614eed04fcfd473715177d881c410b4a5b22eaa616464465014c844a22f0

Download Submit
C:\Windows\SysWOW64\Hcedmkmp.exe

Filesize
444KB

MD5
afbdd1921574e87695e6e5578c6b146c

SHA1
61648aaeff0d8c782c98c6c82ac522bab8207144

SHA256
693088b18fb93d59961a58298c7829f4565cdff91783e8bf44bbcb99ce789124

SHA512
ea22494c4adbfca31394816ad7a8826963bdb85e513da61a5420b7bcf5fa7241f8bf720166f03fec278c2f4fad34616b92b01556ca2ba00ba2a120a831391fc3

Download Submit
C:\Windows\SysWOW64\Hjaioe32.exe

Filesize
444KB

MD5
980169a72cf006dafaeb9dec5e8d4843

SHA1
8a8c94d9781c36053478baa08bbe1743fc7338c9

SHA256
350e1af6afe9c050eca35487c6c6257ac9232de891d6ab295153cfd2bd0b74f4

SHA512
7a42a35e3314f0f075efc6b822c8737f33551da2979432f37df2ccf2a78c378c92742e6cae657e9c85922bc39da6cd8a3f6e41841f098fb27f0f72c7449df8a2

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
444KB

MD5
99385d7c620cd1891bcf6a29f665bcb9

SHA1
84a4d305200736c57a6e4818b2005e2eed0fdac2

SHA256
9367de05223f92396df7e58bc51ad94694c125f395989a67e5e0f82fbed245fa

SHA512
df405de683fbe29b829bbd99008c1954c5eb5c1d15f92755a8ccef17c5ffdbf90020118b306ccdc5a0666f10e5447f09706edaada8dc5ac4e60dee9fed282dfb

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
444KB

MD5
b746797d5dc83551ec6c8e304e4b9587

SHA1
1cc7b84c60b9e8e4a0f69da3930c85d9e355c9e9

SHA256
9ecb0f8127d40089a5d6b17f6b5e47df15178f90c5380c49cf849b0976eeb07e

SHA512
4a2276cff3414ef5c68d086de4519c48545eec390c74590a39504d8be36ff9b7f9d1e36d3d482ae0dc49b26fc1d6a5b1a8c1f6386cbaa6a69c42fe4a9a9be020

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
444KB

MD5
c16ce50035b1bb81f83bf146b9b289ca

SHA1
138d22c809563c80caf7b674983cbdab73df72af

SHA256
5dfa3dc58b541e93555ff841481345aa9171dbed32f81e46ba72db43948d2bde

SHA512
71c97730e7a71739a42d8acc6d7e24040b88c3b9b779549c9dd12017a70bb572d1d7aef32c0b14002e534da9678fabd76c449a36c2388b07c6582ffd158f80b8

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
444KB

MD5
f0e2336d8c921cc3bcb355942796e501

SHA1
a78d16f2a166ede312ce9ea167a5d012df3f9ba5

SHA256
91ea5151694845f7e4d31f6e4a521c167ac6e4208f809d46c29e4e928b478a2c

SHA512
e60be9721a463568a08354b0d0fe55796d3dd7183f39fc99de2a4cc7051b42180116e5a089110e29dd1816a335d7b7f26d1346ddb0d110552217499b46b13e42

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
444KB

MD5
bbb2bbed4866ae98fe77462e24cf3c93

SHA1
ab0a64f746eaab9be6667dc739a9aec77d353bff

SHA256
73ee082e0b707c60fd89cb02d8b0d86f6b123af5205e3db8a33786ef0cb17b03

SHA512
a0146bcd045c84ac88801e5fb14b01e0ae2a548e71f9973cf1dbcc3ef0d6bc00ea57446daae3ffce591f2ce243541a704e777a4ece57b7b625ac718050d86b83

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
444KB

MD5
763b9124026f53a0439d9cc90ed884af

SHA1
431d42d47a152f7d7c38e9dad96b11f06854d2f9

SHA256
e850eeaa44609f57072e373cd999d71af2394d4e1d4b1cc6f5a12103d2600c60

SHA512
fa9f887ae2701d528ab763ec33c4ec57c3d9e19db5794dbc5f78a1aea7a1228870ff8817540d5d67216b48e7944c227c705139915ac487a44e0bb8e629404a30

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
444KB

MD5
42f1d1b844ff72e1c3b4514d5d35515a

SHA1
7fe8118aacc1b6e96c00e2479f6704b81b896051

SHA256
a789c3c94b777d2af34709f357ac6aece3261eb178799a1e29df707239f47695

SHA512
21abc5ed0198fde12b10e0b556306e8c901a6fd4ace78a158d1e064e87e0f004eef6c0664f8850de4024b41b77db329c71206185db3f5189ac74518c2d86f668

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
444KB

MD5
b1edf3520a76ea9ee733ee346f81e6d1

SHA1
ea55e50a04359d097d9e74bc2fe53a7c10ac51c9

SHA256
5439190dc040a5ba9c38d1aa0cf68d7deea6bbe8bc2e80a44913749e4db79b81

SHA512
556e2590677cc2e66801712b76b7d42d90bc34c61c386c89a00397292cf1574092d83fffb71f21c10dd774450538d04ec818fc161b68065646e1e44a88a82015

Download Submit
C:\Windows\SysWOW64\Kolabf32.exe

Filesize
444KB

MD5
0efd17c7ff674e25435f22db2ad05d36

SHA1
36b15fc624fac480a52a3bae55a5c55537f6d592

SHA256
24d20278ea8918f08c1da00f97a3d9fa128d12c127b436be0aba9498428cd601

SHA512
3b1751a8af679b375d0859f45c79b261701e13adafe886f369d14829811ac30fc0bb84e8a266333b1a0f93eef4d59984e3e1f3adeec69d75855ba1619335ef3c

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
444KB

MD5
4aa9c3fac1f34a47c7cffb5f861b8981

SHA1
d52f41e32f4df44e08e2882ad9d31bbc99bc92da

SHA256
6c0dd1a5169189df95b24c9050526a27a287328927f34d6385bce7097f982189

SHA512
d67d805dd869f3afcdf04964763d3bdfb35e5fa29d626fec2a5233fd1a8742e1098dbc083c9e23f4591f7bb95bb264fffeac802def0c3e1d38705230967782f0

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
444KB

MD5
07d42fe06b4d3d7b9d9a648a244e3ef5

SHA1
9d2e138f84a950b5df79923c5d88555cff512b63

SHA256
d37baf6cf06d0b4ba77bee72ae711c1c18e1dab29f519f9d9499daf5a08c492a

SHA512
a4de7b98062ed9f6dd5ffb2196b8d2fb23658539c762d1d1d6a96117b97858b9c275aeab3ad13be4495763244c8d1d7cc90c7fb6e1c3f7d309e64c9c2b819f7d

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
444KB

MD5
270d6cad1cbb3b2508de8f6e4a868d43

SHA1
a18b3aca67d0adc0956d4dc3f5d2cb93a123a882

SHA256
fe4ba67319ff0d1baa6bed6717fce0b6f111c3157de7b3a3ed859b5b39a5828f

SHA512
3fd2d7cdd469797a1f76dc16733440ab7b1e86574bb7799bb7a1e98a450a7f2565a7b3b12adcffff207b1fe14a85a886c27a033de1b0ecf92bba5a8334770faa

Download Submit
C:\Windows\SysWOW64\Lplfcf32.exe

Filesize
444KB

MD5
9b770c13c259de69f0b9b6f3a1946edb

SHA1
2588ae9e3ac6a6d6eb09efb8743e0fa010706488

SHA256
5a56687bcf8c8729ff78605232adfda712fc29d881d0f317f097ac8064d6f16d

SHA512
f48c6b24636137c07159dc701bb644288feba91f3c8e70a6014bc814cca82d306c42d4f6019e312fc666544a9ebe66f8b665bc19beda9c98cbe3d790b49958b4

Download Submit
C:\Windows\SysWOW64\Mbdiknlb.exe

Filesize
444KB

MD5
ead7729d79286841806fffe7c63a66b6

SHA1
bfe393cd5e23b7407ed65d5740ee489023093128

SHA256
0e1924c3d388012bd64f1a18ec1f0ce1aacb6b9713d67cd92b6952999ca362eb

SHA512
67b844e8c82118f966a7117b1f6b86875f2ecddffdbcbbfae0f8db36cdec4dd59558f3309983beb44d97ba4e18f5fc60cb2a60ecf3b06d64758c74dcc4253283

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
444KB

MD5
395d5a6289105938f28f7fffaf6cf9fa

SHA1
06f8e3e4393ea1636d0ee31d930e24e3f83dad10

SHA256
8fbd7a0b081fa8a34f86bd0fddf67ba40aa7f47d4998551d095d8ba3e6536337

SHA512
ede94136199edc1d8837316ec1cd57896365b0d2d8a549d2824f83ca5905f6c8f2afd2e79ff12c93406f4f2a2e5e97b8bd49649d5e52c1bae38a51d22f256190

Download Submit
C:\Windows\SysWOW64\Nbphglbe.exe

Filesize
444KB

MD5
63993caf6e84933bb98fae263455b6a5

SHA1
8f947ddf67e151456676f175f7b74c69761431f2

SHA256
25759eafa4d8fb91987bcf8ba9b82083d0e206d6681c71fdd34459ea62270e12

SHA512
81ba921708d6a370251db120f613a8205e2f9e2289c5d87283e3fd67652c8b3b97aaa27984e3fe8aab7277f46eaf331fb247131865a913f8794197c6fa60f45e

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
444KB

MD5
e972c9cab246b779347a29d479abd2cb

SHA1
1b825bb9313fbdc6618579249b47cc29a8e139cc

SHA256
03e67d707f5644e8118d22d9bc56b45b05fc11b61cdf18508661212aa8d2a6b5

SHA512
707a8ab9340ed58d2268e8b2c094659d893aaaddab8e47ed03f4bf55435c5481fc904f618d22b37992b606cf3faab92ca2de6442f458dc1bc2c44910984889a7

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
444KB

MD5
ac2c25899ddd4427b7edf20610f27b3d

SHA1
15f7243dc4a4c7fa4f880b4e21602b7eb0660ac1

SHA256
72fc80501efd78fab544ab86344c5fa52b9c0f57bcf87166615db7f188826dc1

SHA512
0c823082e97efe4732247e922c2dcfce759b7d2b041b4d4f8a8cc361200d924d47ad14919925696ec22e16283f27ce4cdf006c7f6bc1d816900cc6fb5f08e195

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
444KB

MD5
483b044f1395da3a69533da04876ee5e

SHA1
5f7af85e60ebe62837706f19f3faeb2033af30c7

SHA256
d9a61bbd05bae030004ba28f89fbd93da0f6e6b8037c5484f464e65e21a7897d

SHA512
72340360901492b1590648ba4a7f1dff216762854b2921ab11887d24656e6f14034507a27c8ed5a660f281cf406fb820a551b5e8ac9246826e98fd0c8144b701

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
444KB

MD5
bd1f7aa1e5e4d26b053f1e017b270149

SHA1
06380f6e05b80118f9a0cba33ec7a0320f527e42

SHA256
11aba912305b893c4b5f359b687b909cc7f017087f598628b984d4d09731b6ec

SHA512
a9891b8922c1af666dffffb2258c36163f9f39c2c70f850d7680b1ff4a9e322576f586467981fe56818857ec5356910bcfbdf4a36d5f0b05c070691168233233

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
444KB

MD5
16d04e1204ffe28b8d21401d4a6f3698

SHA1
06dc94ab130fae7323c0dd70eff283e5de8ec4ce

SHA256
18206a342ced6105f0b123071c7dd848e6d48671a00041e5950399fe6961348e

SHA512
2aa771dc9cac9f69c27608fb74464c04f509ffc18202dc86803089a582a4733aec9a31b6efb36c2b6410fbd71010f2585166ee5315b24eaf8c49de93d4dde302

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
256KB

MD5
02206820b41be7372d19fd7b87c6a1dc

SHA1
527572b815b102179d55d954db609101c7bfc220

SHA256
f12d239998e1337000106eeab3aeaddd07c959110190a88a8702401ed0c52eb5

SHA512
bfe41fa27bb81a1c7d1cc9d61022e7c78631bf943a3a54be525c44b51d8a50a5c649d084f566165700ed1da784ae8f8282efce4b77fcb523d24f3b3f10368752

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
444KB

MD5
3845fa7f8ac3aca25355d9d33b2681fb

SHA1
ace4a1350db1d25b8e2019e3e4022ebb95ee0a45

SHA256
8b6fa8e91828eedf86c5f86e1fac968983be08547cf7ba590215cc333ab6038d

SHA512
532014b5937300ca36afde95705780da7e667f87a991d3b743174705dee405e4c80f436b4b4424b2dea6e1b1c51097716da0b93b3edeb41ea3602047f1625323

Download Submit
memory/116-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4832-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads