38114454acd3264b590bd5e0612be557551355e2f5cf03c8376f8a3b46dcc510

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
Size

412KB
MD5

3188fef5ef461d9a9495b0ab45b4c320
SHA1

8fe029dd5a825b6c534a925226f05a019278f3c8
SHA256

38114454acd3264b590bd5e0612be557551355e2f5cf03c8376f8a3b46dcc510
SHA512

75c25d854fa248448f0c57a44b450849656e9e051ea4d9043947d684ef6990e6dc864f95d175b271860e88e53f369a088c932074cb930937bd795749baff14bf
SSDEEP

6144:WO+zp7NdmoBB5CMHP7RQmfMishe4Zgufq+cREyR/yfjoshaphaiB00:WOIN3CMHieikLB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gokbgpeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqgedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmjlojd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jokkgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjmni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijdjfdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfnfjehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe

Executes dropped EXE 53 IoCs

pid	Process
3360	Jokkgl32.exe
4312	Kfnfjehl.exe
2728	Kjlopc32.exe
4392	Lnldla32.exe
5036	Ljeafb32.exe
3432	Mcpcdg32.exe
2980	Mfqlfb32.exe
3256	Nopfpgip.exe
572	Nqbpojnp.exe
4372	Nnhmnn32.exe
1876	Ogekbb32.exe
3744	Paeelgnj.exe
3548	Pmpolgoi.exe
1116	Ahmjjoig.exe
3140	Aopemh32.exe
1820	Bhkfkmmg.exe
2692	Bogkmgba.exe
404	Cammjakm.exe
2468	Ckjknfnh.exe
2408	Ehpadhll.exe
3096	Enmjlojd.exe
2868	Eqncnj32.exe
4680	Fijdjfdb.exe
768	Fqgedh32.exe
4512	Gokbgpeg.exe
4436	Gbnhoj32.exe
4696	Glhimp32.exe
5100	Hecjke32.exe
1416	Ieojgc32.exe
1536	Ihpcinld.exe
4784	Iolhkh32.exe
1112	Joqafgni.exe
1784	Jpbjfjci.exe
2220	Khbiello.exe
1308	Kheekkjl.exe
744	Kidben32.exe
2308	Kifojnol.exe
4488	Llnnmhfe.exe
1760	Ljbnfleo.exe
3468	Mljmhflh.exe
2984	Mqhfoebo.exe
392	Mlofcf32.exe
3880	Nmaciefp.exe
4424	Njedbjej.exe
2320	Njjmni32.exe
3852	Ocdnln32.exe
2172	Ojnfihmo.exe
4640	Obnehj32.exe
3700	Oflmnh32.exe
1796	Ppdbgncl.exe
1108	Pcbkml32.exe
3204	Pmkofa32.exe
5056	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eeeaodnk.dll	Kifojnol.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Llnnmhfe.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	Nmaciefp.exe
File created	C:\Windows\SysWOW64\Kajefoog.dll	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Pmpolgoi.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	Aopemh32.exe
File created	C:\Windows\SysWOW64\Ojidbohn.dll	Ehpadhll.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Gbnhoj32.exe
File created	C:\Windows\SysWOW64\Kheekkjl.exe	Khbiello.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Nmaciefp.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Gbnhoj32.exe	Gokbgpeg.exe
File created	C:\Windows\SysWOW64\Jgbfjmkq.dll	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Ocdnln32.exe	Njjmni32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpcdg32.exe	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Gokbgpeg.exe	Fqgedh32.exe
File opened for modification	C:\Windows\SysWOW64\Mqhfoebo.exe	Mljmhflh.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Aopemh32.exe
File opened for modification	C:\Windows\SysWOW64\Eqncnj32.exe	Enmjlojd.exe
File created	C:\Windows\SysWOW64\Jpbjfjci.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Damlpgkc.dll	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Kifojnol.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Hecjke32.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Ieojgc32.exe	Hecjke32.exe
File created	C:\Windows\SysWOW64\Khbiello.exe	Jpbjfjci.exe
File opened for modification	C:\Windows\SysWOW64\Ljbnfleo.exe	Llnnmhfe.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Icbcjhfb.dll	Obnehj32.exe
File created	C:\Windows\SysWOW64\Jokkgl32.exe	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bmgagk32.dll	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Ogekbb32.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Kpqfid32.dll	Gokbgpeg.exe
File created	C:\Windows\SysWOW64\Jjgkan32.dll	Oflmnh32.exe
File created	C:\Windows\SysWOW64\Bhgbbckh.dll	Nqbpojnp.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Kheekkjl.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Ppdbgncl.exe	Oflmnh32.exe
File created	C:\Windows\SysWOW64\Lnldla32.exe	Kjlopc32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Kheekkjl.exe	Khbiello.exe
File created	C:\Windows\SysWOW64\Anhaoj32.dll	Eqncnj32.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Iolhkh32.exe
File opened for modification	C:\Windows\SysWOW64\Kifojnol.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Mlofcf32.exe	Mqhfoebo.exe
File opened for modification	C:\Windows\SysWOW64\Nnhmnn32.exe	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Enmjlojd.exe	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Eqncnj32.exe	Enmjlojd.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Mljmhflh.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Fpnkah32.dll	Njedbjej.exe
File created	C:\Windows\SysWOW64\Ojnfihmo.exe	Ocdnln32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4104	5056	WerFault.exe	143

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaoj32.dll"	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfnfjehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbfoaba.dll"	Glhimp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaodc32.dll"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll"	Hecjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll"	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgiiak32.dll"	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognaofl.dll"	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hecjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll"	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glhimp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqncnj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3360	1140	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe	91
PID 1140 wrote to memory of 3360	1140	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe	91
PID 1140 wrote to memory of 3360	1140	3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe	91
PID 3360 wrote to memory of 4312	3360	Jokkgl32.exe	92
PID 3360 wrote to memory of 4312	3360	Jokkgl32.exe	92
PID 3360 wrote to memory of 4312	3360	Jokkgl32.exe	92
PID 4312 wrote to memory of 2728	4312	Kfnfjehl.exe	93
PID 4312 wrote to memory of 2728	4312	Kfnfjehl.exe	93
PID 4312 wrote to memory of 2728	4312	Kfnfjehl.exe	93
PID 2728 wrote to memory of 4392	2728	Kjlopc32.exe	94
PID 2728 wrote to memory of 4392	2728	Kjlopc32.exe	94
PID 2728 wrote to memory of 4392	2728	Kjlopc32.exe	94
PID 4392 wrote to memory of 5036	4392	Lnldla32.exe	95
PID 4392 wrote to memory of 5036	4392	Lnldla32.exe	95
PID 4392 wrote to memory of 5036	4392	Lnldla32.exe	95
PID 5036 wrote to memory of 3432	5036	Ljeafb32.exe	96
PID 5036 wrote to memory of 3432	5036	Ljeafb32.exe	96
PID 5036 wrote to memory of 3432	5036	Ljeafb32.exe	96
PID 3432 wrote to memory of 2980	3432	Mcpcdg32.exe	97
PID 3432 wrote to memory of 2980	3432	Mcpcdg32.exe	97
PID 3432 wrote to memory of 2980	3432	Mcpcdg32.exe	97
PID 2980 wrote to memory of 3256	2980	Mfqlfb32.exe	98
PID 2980 wrote to memory of 3256	2980	Mfqlfb32.exe	98
PID 2980 wrote to memory of 3256	2980	Mfqlfb32.exe	98
PID 3256 wrote to memory of 572	3256	Nopfpgip.exe	99
PID 3256 wrote to memory of 572	3256	Nopfpgip.exe	99
PID 3256 wrote to memory of 572	3256	Nopfpgip.exe	99
PID 572 wrote to memory of 4372	572	Nqbpojnp.exe	100
PID 572 wrote to memory of 4372	572	Nqbpojnp.exe	100
PID 572 wrote to memory of 4372	572	Nqbpojnp.exe	100
PID 4372 wrote to memory of 1876	4372	Nnhmnn32.exe	101
PID 4372 wrote to memory of 1876	4372	Nnhmnn32.exe	101
PID 4372 wrote to memory of 1876	4372	Nnhmnn32.exe	101
PID 1876 wrote to memory of 3744	1876	Ogekbb32.exe	102
PID 1876 wrote to memory of 3744	1876	Ogekbb32.exe	102
PID 1876 wrote to memory of 3744	1876	Ogekbb32.exe	102
PID 3744 wrote to memory of 3548	3744	Paeelgnj.exe	103
PID 3744 wrote to memory of 3548	3744	Paeelgnj.exe	103
PID 3744 wrote to memory of 3548	3744	Paeelgnj.exe	103
PID 3548 wrote to memory of 1116	3548	Pmpolgoi.exe	104
PID 3548 wrote to memory of 1116	3548	Pmpolgoi.exe	104
PID 3548 wrote to memory of 1116	3548	Pmpolgoi.exe	104
PID 1116 wrote to memory of 3140	1116	Ahmjjoig.exe	105
PID 1116 wrote to memory of 3140	1116	Ahmjjoig.exe	105
PID 1116 wrote to memory of 3140	1116	Ahmjjoig.exe	105
PID 3140 wrote to memory of 1820	3140	Aopemh32.exe	106
PID 3140 wrote to memory of 1820	3140	Aopemh32.exe	106
PID 3140 wrote to memory of 1820	3140	Aopemh32.exe	106
PID 1820 wrote to memory of 2692	1820	Bhkfkmmg.exe	107
PID 1820 wrote to memory of 2692	1820	Bhkfkmmg.exe	107
PID 1820 wrote to memory of 2692	1820	Bhkfkmmg.exe	107
PID 2692 wrote to memory of 404	2692	Bogkmgba.exe	108
PID 2692 wrote to memory of 404	2692	Bogkmgba.exe	108
PID 2692 wrote to memory of 404	2692	Bogkmgba.exe	108
PID 404 wrote to memory of 2468	404	Cammjakm.exe	109
PID 404 wrote to memory of 2468	404	Cammjakm.exe	109
PID 404 wrote to memory of 2468	404	Cammjakm.exe	109
PID 2468 wrote to memory of 2408	2468	Ckjknfnh.exe	110
PID 2468 wrote to memory of 2408	2468	Ckjknfnh.exe	110
PID 2468 wrote to memory of 2408	2468	Ckjknfnh.exe	110
PID 2408 wrote to memory of 3096	2408	Ehpadhll.exe	111
PID 2408 wrote to memory of 3096	2408	Ehpadhll.exe	111
PID 2408 wrote to memory of 3096	2408	Ehpadhll.exe	111
PID 3096 wrote to memory of 2868	3096	Enmjlojd.exe	112

C:\Users\Admin\AppData\Local\Temp\3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3188fef5ef461d9a9495b0ab45b4c320_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\Jokkgl32.exe
  C:\Windows\system32\Jokkgl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\Kfnfjehl.exe
    C:\Windows\system32\Kfnfjehl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\Kjlopc32.exe
      C:\Windows\system32\Kjlopc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        54⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 400
        55⤵
        Program crash
        
        PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056
1⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
412KB

MD5
7adc5c37ec7669ab2fb033e76113c82b

SHA1
9c3f5f9d85af4109eb92fc50472520cd870bba6d

SHA256
03b1596426260846b8ce3dde67bbda99d5e7b7bc33a6e7f67a93a3a042c452d9

SHA512
be862b7ac5de57095e9c9fa90be8ef63e21d3a6c9b6a35e92df6e5aaa40edd0bf87ff1db72fdb18d340550830d6b9a32f63ca349d8017599e7da378891c32836

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
412KB

MD5
8e9d17d830eb2db8a8215513e9b4deb5

SHA1
a34c88a07e0a17ec06715986cd53e99252364a4c

SHA256
4bd4d0d64fed3a18f975da480c1f79dd8d2e45930af8cb14fecb7af54042b600

SHA512
162d1a7f12cb3abe80327ef66e4b1737143f181612ec17cc36b9b5ba4c492838fd1d12542c2bee138f6d725e47c1fe64bc5f49cf83b678a6dfd22a65c6b8d196

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
412KB

MD5
7545f7610b5362e85f4430fb7e837616

SHA1
b13238d865353411b25fc89d9800744503b08a82

SHA256
e95c61541d2bdd5ff52295e1cbdfbd175aade94d6c9580877e35a1dd5c706e2a

SHA512
2faafcac4ea8411ca3c6caa2bcd603ed0a3490688acae76157da3d917bbbc3f918bafbbd52a49ebc435cd0001276773a04f9844a68597d18a44396d4ac39ed7d

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
412KB

MD5
f299058ab3a9d8f718ac4746390e922a

SHA1
70821931361bc15ba9813a17448c14da07a70074

SHA256
24c2d4c1e1c340ad92bf93c0a1382a4b00dde2b464e3f207de9d2d820a2d76d1

SHA512
408405d6f0fd2f8cb935194447183c1bb9f273c29de61a355c77ec41d62b870a1063d99877cdb8ad980189fb88dc5ea00a3c3b449642522790891c5dc5c79265

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
412KB

MD5
2cae71985838546a940574896d1ba8aa

SHA1
1451a3d41db5927d2f25f4ca75a6320e0b35e8a1

SHA256
323af0672037af4d00cfadc6c0b76b415cf0029af77afe76b5815ee0690667a8

SHA512
94121e29232c3e72ac3d04cabf1b99feda4b966a18861ea4486bbca1e8d84032f958543ca1515e3e2a316aae62a0b8fec2438f6632bbb26793f4e68df7058604

Download Submit
C:\Windows\SysWOW64\Ckjknfnh.exe

Filesize
412KB

MD5
6d566eb4ee9f7bbd40f8f8093e96175b

SHA1
544e6c9872cc52e041edcb02edb455d19523988e

SHA256
0956547a8ccc90816af01f7b6deaf6fd3bd1caaa87d7d3db4ba13c24bd8db587

SHA512
d134d603da232e8b7e58e18df4472b43f6683ed0dc84b782f69d714157e94e0b4dc669bf8665d3b50146f7be8d863bba1c8a74cd39aeecdb6dcb874b89965897

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
412KB

MD5
0135c1644f8b18a858456b5ef336b99a

SHA1
4effb96e92e1ca60450242031f0d031d2fa2e5c4

SHA256
f228bf9702af814264a4536160adc214f6baa195273100bf5ce3b569943c183f

SHA512
3b263e3d3c683d6b272d28d3575fe0a99d92961114cd3af3e6b057a575b4f21f7fcef03f0183ba281115ee7d227e09516a21836451c6d2b06dd437d884166b62

Download Submit
C:\Windows\SysWOW64\Enmjlojd.exe

Filesize
412KB

MD5
78a5d36358c2fb205df1781c218cb2ed

SHA1
e14d78cb1235993c1fa1e386cbe75c5f930f8e90

SHA256
7d5f95fd0c1af89f70998ebcd56cf42d23d1e28108ae1a6926f77e556a8afce6

SHA512
9058a413d37a6a53eca84c90fde796c700e61767ba098e495212406d65fc1f7a9f17a58ecdd504b57ea5019b0919768b8cd17b2246a692d5c52ba794fa3ed016

Download Submit
C:\Windows\SysWOW64\Eqncnj32.exe

Filesize
412KB

MD5
6955bc66f5f4117471f17ea6c410de1f

SHA1
d0dbe29fad1cc1f9598859e8ca06c75d4d9542c6

SHA256
d536ab7a209713e5141a3a639aa61282d79f476ddcf51e7d1b0eca90ac5a0f0f

SHA512
f2714a35ff46892b60220d1d45c1e4812a37388934e927d7fa083d87d117dfe065a41a83ab0dd3ac4d407b17c77d255a31ca6d86c8ffe7c03798eb2d751fafbd

Download Submit
C:\Windows\SysWOW64\Fijdjfdb.exe

Filesize
412KB

MD5
529682a81d10afc666e862269d20f02d

SHA1
cd6cf3ed641be269a32e2ace6e02a0aeab35a06b

SHA256
341dfa63a400a1a97489cda07208f38d4ae0e36aa911e7d74d32b0052a484d30

SHA512
b301a45421a7e4e48ab91a2af7b1c7278a8dd487a5353cf4cf0b399732954c156e1933066e360f87adf6e8bb320acedad93d66fbdd80521f21776904812cf6f7

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
412KB

MD5
4e8ad95a08c2cc89a854305fc1c97b50

SHA1
42f20cbc65661cf580af31492ce6eaecbd24a85a

SHA256
05922c1cf8eb8ad13e678ccdf550b3df6f104827df25675aced72a7524145e12

SHA512
5a45dc0ccba67c9e02cec00bcad77726738625d3ab35d4b24c7fccd246477ece82ab3a41bd727a245418b86a6cab196783a0817b626b0488a8f6d5688dd330f0

Download Submit
C:\Windows\SysWOW64\Gbnhoj32.exe

Filesize
412KB

MD5
bf483845711e4e6585dd7d4913d6c4c2

SHA1
01493da4ecf1a27e1452f49b0c23fec126563780

SHA256
57a156729e5d7e3a39fdc7293b44897733794eef5457a4ad45e37d30f7f79d45

SHA512
4e677b8eda5969e33c604cdcc156e19ec325e7e481293c8f2e654f00d284db6407b0bd1135e4ddfe9c1eab14e6582882949016156e46490ec2d419c2668a690a

Download Submit
C:\Windows\SysWOW64\Glhimp32.exe

Filesize
412KB

MD5
7d0b343497d152f1997c849550d1e434

SHA1
31c58775d9de85ba171add302d42a13ad4cc61e7

SHA256
b14f9074caa70a9872bef7751698d768300dc3a2de21894e0969ad88b8844377

SHA512
567429e1c6e7ff5cf4649a0f4422b3048da956ce3d5dd8b28fc638d9a4ddf726be478e0819ed15d5f203b7bef876978bde9e291a90c995e95e9be0c0accca3c6

Download Submit
C:\Windows\SysWOW64\Gokbgpeg.exe

Filesize
412KB

MD5
81e42b3af817d698c64e868f181e5816

SHA1
a5100bae83ba29e60fc05816c6e32a7b05accd25

SHA256
b33765b77d71204dfb2b051dda9403b4dee6ad0c05368c99d9ba671d0a9fb66e

SHA512
5d4662722a4f371d904dc0bd2d8b87718be0009302ce6cef5bbf2c8a988cea182b505079c05b466710598321690c56554c268e37a9dc378f9320460711beba6d

Download Submit
C:\Windows\SysWOW64\Hecjke32.exe

Filesize
412KB

MD5
394285102a03ed6591aaf07c75cdbd2a

SHA1
769989fa239cfbb7843bdce9a35e2933f1377f84

SHA256
3ee77b27653f3d808d5789c4c6211216d5c1333b1b6ef426ea7debbca890c3d6

SHA512
b7f4466883c5d45f8ef27e8f451a0884040785aac48271dc1feb6ce5f3d4f194efabbb5f02fb5b1d405d9970aea9a3239aab7271f92b283d9787b8e716e7e6d3

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
412KB

MD5
d8d9a9509790db0554f7a4a26b96be2a

SHA1
a3beb0476de12164d3ea0920c05cadbf545b122a

SHA256
dd5b2b5583f32a9eee3f15846dbbd6d079ac682615a4310a2111d0c6c24f2eeb

SHA512
1677ca85b59cb7b068cb2e4cf7a59e268b3952838d2ee6acf2a5011b4b8258786fc504be5a4633741e9b61b6347518b66614300615ea2e22fa348836355bc7f8

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
412KB

MD5
07d0ebda476428ce8d0583e2f5d14a45

SHA1
b0580b635a1f24eff0c60f66cd73cdff8524715f

SHA256
a1f2d2902604417cea73dcc23f836d9a78ee12d8cedd5d098361c392f3f96f70

SHA512
a6b3c35f9d9e53ac172e8b012ad6fee1241c9bc217b721da14e308081cfbbe77d9be0761376908501c50160dfd4478757dc557a696c47b87dfb8f12a34fd6420

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
412KB

MD5
e44dff35a3b2fd91a9222dd18b74ec91

SHA1
faf0b6a0f1ed22c646013f3bf7bf5550e37a82cd

SHA256
34c1c06cd62f2443a6eb87f5e38455b0159276710739938748f6ffac570ede1a

SHA512
6919d1b371b0f6b1ca183b955a5f1874d056da9eee84e1d087c87175ebee3244782f469952cb67bac78a05427e14b1488554624d3981bfeb68ce72857d453955

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
412KB

MD5
f1d4787385fa7c1b87257dff35351923

SHA1
64d0e8732d7a0e33607e47f05c6fdf3ac61a0d54

SHA256
ec453a3312504f525d62efaf8a316e92c9c4f0492fbfadaf2b3cf2f530572fc3

SHA512
43a0431df6240a4b4e9a6bb852572bb44efe195c2ecf3e0085a6304c9c258d729c49d32c9c6bcf692147cb697ba05e681f1c5cf25b57c4a2332c9ed272d06809

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
412KB

MD5
3e5b6f52558b3c698406a858cf6c2931

SHA1
b0cd55eaf77ac785280d7208230f9772399e47d2

SHA256
22f932a957c2907c456b1da523dbca1e01477d9d7d4e7da3d5818ce4b8bf0b35

SHA512
9b4fc4f32e70b7a3d38b6027aaa4f916108407ace3d9eefdc15a2c7c9f3ce6b90ff809029bc54609d76bcc7bb9158617145ebe9310d7063937406962717a752c

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
412KB

MD5
bef9f095fe429d000b9152b88304ff75

SHA1
70b4d144ca76e921442baa152cd354b03e9675c7

SHA256
975a57d28ccf1e0fbf40ea3616484131f5b818fef3e5ff4938f1ab111476e81b

SHA512
1a9827e19266ba70b5ca7a60f69ecacc240af92785a63643a8e4bda65a9b9ff6c094741589f10ca614c91413226e2ad66f753bb92de4240243e8e8d456530839

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
256KB

MD5
7aa6a4ca5dd8f949606cc7373f9b7ef4

SHA1
0c7fe415e4ff478cfcacef5b1305c8ba4ccb2468

SHA256
08b0c93f539c112438570b1909f7c8cd838a2d681acac28a91023ef392798fbc

SHA512
63983852d0dc33cae16974f6a1f13dd6d927f6e9077acfb36ffb702ac69f7f3b34cbf2a337276199ca427c118d475b8b068a860873ef8cb56134ff05f8ef4bc5

Download Submit
C:\Windows\SysWOW64\Kjlopc32.exe

Filesize
412KB

MD5
966eaaab635f82b3c506fc6b90a48fb9

SHA1
3b1b442bd8397cd6ecce49dd9d06a2fc0ef6ee62

SHA256
2156ea0976e52e954306b38b5bf8b0bb170b542107639bd25486cd0219744cc2

SHA512
fdf8dc8b477322949dd2b5a2195023977365d63869579094e5f9b73c9bfed33118577ab08f18280b1a770823541a2418682b9af769fa50b38792607a9dbf90c2

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
412KB

MD5
b17b2e0d70032be1d7234daf19e1599b

SHA1
9c6f0b223df4617a72d997233d87bd8660b3df61

SHA256
e0248c45ff95414a0ccabb1dde296b10d0b0b119533a90fba31765733d36f5f3

SHA512
74b3987c92c4eeae33d85531aeeb0195dc387650e45af6e4632f8db404071bd24bacc264708dbc1af3c5b10ebc5c01dda6e1f8669eb77ad90d36954d3aa540c2

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
412KB

MD5
2d853d042c6a68f23210c344a5eb0adf

SHA1
01735e37fd91c0c4c4493ab724dfc3cda917ed31

SHA256
cb3127f854cc30649eeb6b4254146618db6f3ef460ec3c9a8efdc4c87b6083bf

SHA512
2aa783948d4093e86d84eef301d5a82963fd506e7d318911626f3f29559871f348436c01ba7adfdc8e8de8a36b6ebf2c79d9872e9b5fbff061f825c0dfda3594

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
412KB

MD5
627f3d46009fa7d754ae9ef3ea8ce45b

SHA1
82d7040eb6d31a41eb93071e42b3aef4c3e447c1

SHA256
99cd00e3537781e2aa97b307b41db2af564fb653b6b20717c3418a9fcd168989

SHA512
88654bab2dc330850c10eabf85f511cc0e734d417a83a43bc0cf16953a52c3117d441a10493f49ae23c8e65accabc403bc5d11559dd7b98e0abb5080cc1dae86

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
412KB

MD5
4ed4962c8a2e47f2bd287894b87855b1

SHA1
f6b0d064371a61386d60591f9999ad8bb1714968

SHA256
a24b519e2bd23484b662ad6b63be6aa418c7a086e2dc15b8df7405053584a4c6

SHA512
b7d922d4ede0549f8f33665eda0742d98671d405dc10cd130100e1bbe32f857d42ed57c59f0672fce645a900142f295e279ae977421ef3d1ebb3a741445e2ece

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
412KB

MD5
f96537f064bf6e85e1ef3bf8595416c3

SHA1
739efbda282bcb97a0347a4d0481ab29ef563e97

SHA256
8972973e7978f2453097814b7e7033053dc5a67515cd0f30602964757886426d

SHA512
2dfc42702875519ed50c052bff5cfa2e7e175ed60cbf8449ac8d757598dac7c5eab0c79e8d25a3a3ccacdc9c7cf111e20197b3cab7297ad00ad5bcdfa374cc8f

Download Submit
C:\Windows\SysWOW64\Mljmhflh.exe

Filesize
412KB

MD5
331d5a3a0b24827f80561ccdd74143c9

SHA1
36769fa3a3f34400cfcfa3b7fdf2732d7f4221dd

SHA256
006176f99b7b187c544f3473abcad684e0f15225363e39ae804531f872f0d812

SHA512
730e8f0d1fa1f03a8f0f83e90c1fed61d9bc264940b7c70c9ce25919fb6aac2f3c76c453faa34528e5743600a50d0c274fd76c8cad10827772349dfa8394df87

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
412KB

MD5
e15991a3a5cba39ee14d76e47e363aa9

SHA1
2eae1347573fcea6a8e388e7d9e51d146976c00e

SHA256
6eb389ba6d17df5447246a39ea406ff137bdcfb77cf6deef8052ee1004dd2b60

SHA512
92e8e01050c1f006fa4dbb5a56693be0a36cc03cd9d520855592d31c060316b7282ca535e2d0322806b2bde1181ddcb47d9141ff54765a0ccb048e534ae34059

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
412KB

MD5
5c3a6d539916d95ece176de9c065cc89

SHA1
559772276da110e88c59a04ad77c77687fe35776

SHA256
1df2cadf65eb81197aa95319ea1693cee2dbb3fd1e2898e0fcbcf14a8cafca3e

SHA512
617d5b45a1e6c8b6d8bf84edc26b7408568305d369f3358509dbddca59f06c1c7ad2896a7bef95c033bdf9cb5f9ddee637666e7dbb1839b179e9c21bb460620a

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
412KB

MD5
5629def2a3fea1f8e9f8693ab04451e6

SHA1
56073f8aa312cf3c34e1e1dd65e923bf95ddb6c0

SHA256
b2a80b5cca2875706b5927d3193061ae11aad6bd4b686c9ce239804e09fc5ff8

SHA512
58b5f30c64906a326dfd68e1878c7e010aec8bd206f0afaa572130751aa7d76345fcbd2ea84f829636bb64053fe9d0b7e3bd7d642ede4ac202e3e7ce75d2afa1

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
412KB

MD5
d628dcbac36c7fe01e5fdbd575d35d0c

SHA1
8e577d63ffc517fba07dbefd6a304b32a0451a85

SHA256
d7b943610a09f68777cf19b5e39a3a2c8d777d6bf98ef81fa89bf3b1abbceb36

SHA512
702894efbf8f50ee6a25f0af5982ce3945a21ff0410d23fe2615c7b3474dd0d3eb3e5ed8fa388c287ba0c84f9a6efa6968d1b2e70b3eb8fd6ffb0a314bcf9a90

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
412KB

MD5
005680966df9b7a70da8f8878660f5dd

SHA1
3f918d1bc395eaabc8b28aca38a11d74532d36d1

SHA256
8ba9f7ba7fc9a6c223abdc6421aedbdfeddce32cdfc0c24b07571dc181e123a7

SHA512
af8262af171d8c1c9d9129082cb443e64efd7750bf674ac7e5d575e4a4875f2558c04eacddd259bfb7d4fb038722dd30adb092a4fd7ed085758d006f5a5d8063

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
412KB

MD5
149c4511ea7f50c23a77b316aa078b6c

SHA1
4270893fd220d33fea4dbbad181764ceba66bf75

SHA256
8f1ea84356a615426b90da8af82ef6c5530413bb1c5afc3da6bfe069cbc6a073

SHA512
6c41dc02c531293602e8795aed868fbd915fd3041dd976435ae35ce6f27749add9bf746716f1ea3a4058f96f405a9657c8482fd73afc0a4bfc1ee79b08b53f81

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
412KB

MD5
3bca812bcf1f4f7880a294fa2d8f7441

SHA1
11084aed76ac480093a4dac15d5470bce91a6f66

SHA256
7d696c7cad388dea19f21c1b86f335e2ca42ba6ad503ad558242332fa39a8966

SHA512
1d290fe1271a894594d67aaad513e0097e0b3f892ede1203c154827f78b9e8a6b144b7c1c3e5af67a5b0764b27a5f7a6d74dbc518cec7bdc84c62fccfb004a3c

Download Submit
memory/392-326-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/404-146-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/404-482-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/572-73-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/744-284-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/744-446-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/768-193-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/768-470-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1108-417-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-258-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-454-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1116-490-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1116-113-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1140-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1140-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1308-279-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1308-448-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1416-460-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1416-233-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1536-241-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1536-458-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1760-440-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1760-307-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1784-265-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1784-452-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1796-419-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1796-382-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1820-486-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1820-130-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1876-89-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1876-496-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2172-359-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2172-428-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2220-271-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2220-450-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2308-296-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2308-444-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2320-346-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2320-434-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2408-478-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2408-162-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2468-154-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2468-480-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2692-137-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2692-484-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2728-25-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2868-474-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2868-178-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2980-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2984-436-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2984-320-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3096-476-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3096-174-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3140-122-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3140-488-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3204-390-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3204-415-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3256-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3360-10-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3432-54-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3468-313-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3468-438-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3548-105-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3548-492-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3700-421-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3700-372-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3744-494-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3744-98-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3852-352-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3852-426-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3880-334-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3880-432-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4312-18-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4372-81-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4392-35-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4424-430-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4424-340-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4436-466-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4436-210-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4488-442-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4488-298-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4512-468-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4512-202-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4640-366-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4640-423-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4680-472-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4680-185-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4696-217-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4696-464-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4784-456-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4784-250-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5036-41-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5056-413-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5056-397-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5100-462-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5100-226-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads