daed09580bb46b360968a4b6f445071d091818574534822a070e0014afc07e4a

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
Size

59KB
MD5

2700add142f1a75cd0199bf207eff980
SHA1

ee6d3c86b3996269d8a65b5cefb844fb8e7fa9e8
SHA256

daed09580bb46b360968a4b6f445071d091818574534822a070e0014afc07e4a
SHA512

c571baf23195c9fda6b775ea49ed083456b9b66ca894704df29926788f43fa3bcb0840facdd0ffd8cbc4b8539cb57c3dc768f864c07ba437e92e86113e934705
SSDEEP

768:el4gjEWDm+SaE80j8jVgnHySo+XCdB7DZ/1H5/5nf1fZMEBFELvkVgFRo:el4gjiQENA5gn1ydBjnNCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcekpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmdaljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koodbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcmdaljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpenfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcpjnjii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe

Executes dropped EXE 45 IoCs

pid	Process
4152	Jcmdaljn.exe
5280	Jlgepanl.exe
2900	Jpenfp32.exe
5552	Jcfggkac.exe
1100	Kegpifod.exe
972	Koodbl32.exe
4252	Klcekpdo.exe
5416	Kcpjnjii.exe
5756	Kgnbdh32.exe
5332	Lfjfecno.exe
5396	Lncjlq32.exe
2212	Ncnofeof.exe
1716	Nfohgqlg.exe
5960	Nfaemp32.exe
5964	Ocjoadei.exe
5976	Oghghb32.exe
6020	Ocohmc32.exe
1940	Ohlqcagj.exe
2180	Pccahbmn.exe
5532	Pdenmbkk.exe
4668	Paiogf32.exe
4200	Pdjgha32.exe
5256	Ppahmb32.exe
5816	Qaqegecm.exe
5788	Qacameaj.exe
6068	Aogbfi32.exe
116	Ahofoogd.exe
4612	Apjkcadp.exe
3924	Aokkahlo.exe
1812	Amqhbe32.exe
1164	Agimkk32.exe
3968	Amcehdod.exe
4820	Bkgeainn.exe
3324	Bkibgh32.exe
3604	Bhmbqm32.exe
496	Bphgeo32.exe
4788	Bahdob32.exe
1652	Bajqda32.exe
5180	Ckbemgcp.exe
4672	Caojpaij.exe
1436	Caageq32.exe
784	Cnhgjaml.exe
4652	Cogddd32.exe
528	Dnmaea32.exe
2324	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibmlia32.dll	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Apjkcadp.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Bjbmjjno.dll	Kegpifod.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Ocohmc32.exe	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Agimkk32.exe
File created	C:\Windows\SysWOW64\Enjgeopm.dll	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Pccahbmn.exe	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Jcmdaljn.exe	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kgnbdh32.exe	Kcpjnjii.exe
File created	C:\Windows\SysWOW64\Mpolbbim.dll	Lncjlq32.exe
File opened for modification	C:\Windows\SysWOW64\Nfaemp32.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Aogbfi32.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Jlgepanl.exe	Jcmdaljn.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Ofkhal32.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Jlgepanl.exe	Jcmdaljn.exe
File created	C:\Windows\SysWOW64\Jpenfp32.exe	Jlgepanl.exe
File created	C:\Windows\SysWOW64\Fmggcl32.dll	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Nfohgqlg.exe	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Pdenmbkk.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Aooold32.dll	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Nfaemp32.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Onahgf32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Kegpifod.exe	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Oingap32.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Cpkgohbq.dll	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Kghfphob.dll	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jpenfp32.exe	Jlgepanl.exe
File created	C:\Windows\SysWOW64\Kgnbdh32.exe	Kcpjnjii.exe
File created	C:\Windows\SysWOW64\Lfjfecno.exe	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Pdjgha32.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Paiogf32.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Jcmdaljn.exe	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kcpjnjii.exe	Klcekpdo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	2324	WerFault.exe	135

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcbfe32.dll"	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghghb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll"	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll"	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcfggkac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegpifod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfohgqlg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4152	2620	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 4152	2620	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 4152	2620	2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe	91
PID 4152 wrote to memory of 5280	4152	Jcmdaljn.exe	92
PID 4152 wrote to memory of 5280	4152	Jcmdaljn.exe	92
PID 4152 wrote to memory of 5280	4152	Jcmdaljn.exe	92
PID 5280 wrote to memory of 2900	5280	Jlgepanl.exe	93
PID 5280 wrote to memory of 2900	5280	Jlgepanl.exe	93
PID 5280 wrote to memory of 2900	5280	Jlgepanl.exe	93
PID 2900 wrote to memory of 5552	2900	Jpenfp32.exe	94
PID 2900 wrote to memory of 5552	2900	Jpenfp32.exe	94
PID 2900 wrote to memory of 5552	2900	Jpenfp32.exe	94
PID 5552 wrote to memory of 1100	5552	Jcfggkac.exe	95
PID 5552 wrote to memory of 1100	5552	Jcfggkac.exe	95
PID 5552 wrote to memory of 1100	5552	Jcfggkac.exe	95
PID 1100 wrote to memory of 972	1100	Kegpifod.exe	96
PID 1100 wrote to memory of 972	1100	Kegpifod.exe	96
PID 1100 wrote to memory of 972	1100	Kegpifod.exe	96
PID 972 wrote to memory of 4252	972	Koodbl32.exe	97
PID 972 wrote to memory of 4252	972	Koodbl32.exe	97
PID 972 wrote to memory of 4252	972	Koodbl32.exe	97
PID 4252 wrote to memory of 5416	4252	Klcekpdo.exe	98
PID 4252 wrote to memory of 5416	4252	Klcekpdo.exe	98
PID 4252 wrote to memory of 5416	4252	Klcekpdo.exe	98
PID 5416 wrote to memory of 5756	5416	Kcpjnjii.exe	99
PID 5416 wrote to memory of 5756	5416	Kcpjnjii.exe	99
PID 5416 wrote to memory of 5756	5416	Kcpjnjii.exe	99
PID 5756 wrote to memory of 5332	5756	Kgnbdh32.exe	100
PID 5756 wrote to memory of 5332	5756	Kgnbdh32.exe	100
PID 5756 wrote to memory of 5332	5756	Kgnbdh32.exe	100
PID 5332 wrote to memory of 5396	5332	Lfjfecno.exe	101
PID 5332 wrote to memory of 5396	5332	Lfjfecno.exe	101
PID 5332 wrote to memory of 5396	5332	Lfjfecno.exe	101
PID 5396 wrote to memory of 2212	5396	Lncjlq32.exe	102
PID 5396 wrote to memory of 2212	5396	Lncjlq32.exe	102
PID 5396 wrote to memory of 2212	5396	Lncjlq32.exe	102
PID 2212 wrote to memory of 1716	2212	Ncnofeof.exe	103
PID 2212 wrote to memory of 1716	2212	Ncnofeof.exe	103
PID 2212 wrote to memory of 1716	2212	Ncnofeof.exe	103
PID 1716 wrote to memory of 5960	1716	Nfohgqlg.exe	104
PID 1716 wrote to memory of 5960	1716	Nfohgqlg.exe	104
PID 1716 wrote to memory of 5960	1716	Nfohgqlg.exe	104
PID 5960 wrote to memory of 5964	5960	Nfaemp32.exe	105
PID 5960 wrote to memory of 5964	5960	Nfaemp32.exe	105
PID 5960 wrote to memory of 5964	5960	Nfaemp32.exe	105
PID 5964 wrote to memory of 5976	5964	Ocjoadei.exe	106
PID 5964 wrote to memory of 5976	5964	Ocjoadei.exe	106
PID 5964 wrote to memory of 5976	5964	Ocjoadei.exe	106
PID 5976 wrote to memory of 6020	5976	Oghghb32.exe	107
PID 5976 wrote to memory of 6020	5976	Oghghb32.exe	107
PID 5976 wrote to memory of 6020	5976	Oghghb32.exe	107
PID 6020 wrote to memory of 1940	6020	Ocohmc32.exe	108
PID 6020 wrote to memory of 1940	6020	Ocohmc32.exe	108
PID 6020 wrote to memory of 1940	6020	Ocohmc32.exe	108
PID 1940 wrote to memory of 2180	1940	Ohlqcagj.exe	109
PID 1940 wrote to memory of 2180	1940	Ohlqcagj.exe	109
PID 1940 wrote to memory of 2180	1940	Ohlqcagj.exe	109
PID 2180 wrote to memory of 5532	2180	Pccahbmn.exe	110
PID 2180 wrote to memory of 5532	2180	Pccahbmn.exe	110
PID 2180 wrote to memory of 5532	2180	Pccahbmn.exe	110
PID 5532 wrote to memory of 4668	5532	Pdenmbkk.exe	111
PID 5532 wrote to memory of 4668	5532	Pdenmbkk.exe	111
PID 5532 wrote to memory of 4668	5532	Pdenmbkk.exe	111
PID 4668 wrote to memory of 4200	4668	Paiogf32.exe	112

C:\Users\Admin\AppData\Local\Temp\2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2700add142f1a75cd0199bf207eff980_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\Jcmdaljn.exe
  C:\Windows\system32\Jcmdaljn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\Jlgepanl.exe
    C:\Windows\system32\Jlgepanl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5280
  - - C:\Windows\SysWOW64\Jpenfp32.exe
      C:\Windows\system32\Jpenfp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5552
      - C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5416
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5756
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5332
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5396
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5960
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5964
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5976
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6020
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5532
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        46⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 400
        47⤵
        Program crash
        
        PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2324 -ip 2324
1⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3892 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agimkk32.exe

Filesize
59KB

MD5
257000e37120260b639afc00a919bf92

SHA1
405674d0a67f7e51a1eae495c82be38e15cd5162

SHA256
d986e1475cbea131fb7445f46fb1500224f405502bc4fd32200e0a266709b90c

SHA512
01e4b8223d0312c91259cdce246749948a5301306ab5c3c00c0377b764ac41d16ecd3214b08fbc47123641e95e29369514b1c5d44fd5d0f0982ec5bf55730b2c

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
59KB

MD5
459e7374e04223fdbb298515cd739bd0

SHA1
fe1771b9e03355ca209592b0b6a178b3313ef2f3

SHA256
9762888e4a2647ba7f6f95e73c5aa7ab6fe6bc02c7cf6217f717e3f146af9955

SHA512
37976cce45e3436c9b52827cc757f9f31886eb8d454691358386ad01346fd8bf0439c9a3e39411e79491a1294cea3b0c97bc163d3c6f007c0d380a5fabbd4a24

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
59KB

MD5
befbd884a047ee60db4d1c087c8868ec

SHA1
57ceb5823e7af1f7fa7678ad166d4270bc17a275

SHA256
2d84988c1e8e32fcdf4b0f6b14aac20b652bc661cc2b00a17798a8193090ecac

SHA512
b7d5e8236e3fcf37383290aca503e8743addca0adecae57ff1bd0b59427bff3d6453af4a43b6b63a457631abde88a5e711aacebf030eafbeacb7ef89dcbdfaaf

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
59KB

MD5
b7f499fafc1a9ed4cb23742c895b576e

SHA1
1f6aead314f0f5c27ee0de7cef0d8f63d01c06ec

SHA256
8af06ab3543dc4dafedfb05d0fc5771f005acf332d9bb5b57f13cfc428a8749c

SHA512
b2989480d89cf15f4829eb2048c5a989b7f198da2eb4b37c8df9808225b3c3bd22375cfa9427174a4a839a697b29d8b12340a6b7d997ec7a631cb1ca552ee20a

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
59KB

MD5
3ffe22e7ff499b99e47b7aa8b1b6c425

SHA1
145b4449c191c1c03d5332c58825fbe2573a623e

SHA256
975edbfebdcdff2d769c2b21264a491e45911655b13bd4dfa185a6a6707adfa8

SHA512
2f3ced16a646772c04b8d26c6cf102616a4f754eaa91b46ca29793083b8af52f851562d0d62948f3a9e3e72e33c996f965c66671023b46bfe976269ea79632df

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
59KB

MD5
d61b8247f4aa4008bf6444859b9f1727

SHA1
cbef496fbb83353af945d540517126ce08c5d6ff

SHA256
181391c3ee9bb34c99b9830d99b324c4f276a04d984eca3ebd2b70bbf0c1d1f2

SHA512
4f8e3ad2d0795e748359cc90794dfb26eaff1c54bcefc045b785c67332ae3c8eb3c323a4b0d0af46310ee558a02649a857d8bf20ce3d2d5fb872c4bb156bfa4b

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
59KB

MD5
452aaa937c7f897f6bd2ec63b75a19d9

SHA1
f9c88de45eea94c7b7709ce17748c404e99b885a

SHA256
d3624e3f9612b24a5704b2e88362d803a92de0d8db7673a1b899e1a8c6ff6e2c

SHA512
5bda7960dadf148a27cd9a4b11f399b1c74a8717621285d67411d4c737314b3e289eac542a00d2f19f026828bd1839336ae4441b06c98a9a6e255170c7553f37

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
59KB

MD5
8340887791b69080429277331b0a20b2

SHA1
03ad3acac33ccf450e3950f4df4f5fd4259fd913

SHA256
bd841694c05a6ac521531bf9f5738e5b97dfd50ca13cf7e82b03efdde675feb7

SHA512
888f3d7033c38270e0c2f3f1b9a18192f9163568047bc7c1653f1cd9b322ae3e6641cdf31ea664c120d576e6012045c8e296c67aace10694de20f0cc4c6484f9

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
59KB

MD5
797e81676c76ba225b940d2d6bd70b9a

SHA1
accbdb5ffdadd64390096073494daebbfafbd0b2

SHA256
33cd6a873fe79e52ea1f2abc837007d4f5eddc5b0dbd1f741cb239f049879be7

SHA512
58399d0e00f4382006035e7172cb44fec8775c34133c3efb0021ecbe67dc935cae6950580bfad0a8ca26bf70ad31fe9f1e11d6ceb1092d9bb3e2d913cacc03ca

Download Submit
C:\Windows\SysWOW64\Caojpaij.exe

Filesize
59KB

MD5
cb0431c53412ed775dda90e0d459d281

SHA1
aadb48de79659385c5fe5fe1855d5cc2b4463fa1

SHA256
ed06fbb480457724a4880f9deb5cdc478af12fd0ffed7a04f680c93fdff005ba

SHA512
2fca4f7c6d9318bd98cdcc2df3e604ea6ccd8e72284c76c65290690636ec5d52229c24672c58089ffe8052441551c305e59ffdaaf83df1d22fc452895b98bc35

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
59KB

MD5
876181ec41b927b0778239adaef41c24

SHA1
34e58c48885af1f458cab6db1dd2eb575041fe13

SHA256
89daa42cf008f8c13954e6c496005cb170760c62add40acf9f9221ff26b4063e

SHA512
fc8496f704bc220d688a06ee6cbf539b108ad1865bb1203ec25c5cd95d76683a6b0ddeb8fc527c261a1ded43438fbfc8c277c29d8152717d7eb016d9d48b6c7e

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe

Filesize
59KB

MD5
2a7ffafc95c699bbcd99a2c533ca4f5b

SHA1
7e74591ca7bfebc08864f0cf15397a02c44f5a47

SHA256
0ed9f0f73b5c10be49ca52267a70db201f0fff24152224363ca07c316447c5d0

SHA512
1933907541ac6466c0196434f831b3fd082e97f44dd5ee72eb39e7fe08a4f426e9c8b1eaac1b4a6e3e1f15b7d9446f93f19f37ca05f651881964975eb0b1103f

Download Submit
C:\Windows\SysWOW64\Jlgepanl.exe

Filesize
59KB

MD5
b836241cec1b9ebabf7df875dfe0dea9

SHA1
6983926117a4afac37efb3769659468c2a1aab6c

SHA256
047e1ab43403e85c0fb72b1d5f5059b88acf17cbde8a28466f203a8a1cd75d2b

SHA512
60b84e39eebb098a4e0e6092d27e560e652e655e34f127e48fa4dd9351dddbc37b4692b0899b5406f05e7254e727d4e753bc7c6d427a0824ebeee85e80a0d36e

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
59KB

MD5
5269aa0dc99629bfdc7fc5e3f3929ed7

SHA1
38d60011bfe70d9682d2321d297907821f7c42d2

SHA256
03cdcc80bc3f7c850b84980f5113f0f0cd9d2b704340a1fde4a0fb5aec186c38

SHA512
08bf1df2bc2d5dc4b5592f645ba38e609fcb2b452cba6622d9957d6abce0a49af31618365de621980aad5768dc94304e612fc3fde3073956eb144c77745372c7

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
59KB

MD5
9b1052963608883b4b13d9372283589c

SHA1
c65da24721180cfb51f536e10c8ecd6af15b647b

SHA256
8649a6db22f488d26fee25c5136dcc681efa4df48ad496a91f973377b8ff0ad3

SHA512
2c81dff8aa47fe2327c4e9d4d95f2e7e08e67ae87040deaa02991e13621d352144820e2bf9857dda165cb2fcfd0aecb875d016f7eb526cfded73d409573bcfd2

Download Submit
C:\Windows\SysWOW64\Kegpifod.exe

Filesize
59KB

MD5
17c91d1dabb34ae6fc73b1caebc1cb50

SHA1
3c7a71a58abd6a22d0005d66e548ab58377b4800

SHA256
b5171675e1ef4dfa8a1e237edb5a8b7a0c83a440eaee4ab6f7ff496c9181a68a

SHA512
4f7d634e9e8945ff9c85174f9ad4c7ddda984f94934e2b52891e52fb5d37cb32ef790d76f7822312442c6db488054608efa9c5a2a9e7998614de840301c1f566

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
59KB

MD5
1dfae9cf10b0c10bea959423decefbd8

SHA1
98c9a52941366a9edd601485904f2bb6e691f9e7

SHA256
99a4bddb441d60fdd57b3a0eecbe361f372fdeb30247fa808572d8cc21cb1879

SHA512
e2c3e4823efd93b8d1036dcf46c2ff1ef7c069a5c725005c479eb8e3de2d830db53c261ece2b0cf1ea9848d9f8cb9227afdf41e8af32f029c62bd58973b63a73

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
59KB

MD5
e5bc4dff21163e6acfa2155401b3a828

SHA1
3cd9f3298392e85d896473d4c7773cf68f74a9ac

SHA256
dcad58fd73319b6011eb506ef9a8fe93aa12f1adb068038c8fc7adfeafa7265d

SHA512
50d5d1dd58858e6c3a9627958e649f1df3021cbcb1a3b067bed7ba443b483190ea06321b6ff0b62f07b278206ac299bb8fe70b9792eddf59c66f5de5a7420b13

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
59KB

MD5
f726d3f71a9ef17a783a39df099f5d73

SHA1
0130d580a82ca348e972c5a64e72d08a74c3f505

SHA256
aa220a7715087c7c7d00329c4abf1229b24f310d4d305f688528d616ac306db5

SHA512
0a5e2eb286e5ff2f09416677959814bc406e9321817bcbdd568919b2db66a395597425162c784e77961f47e9ab494f48d99a84041fb0882be376d615287a073f

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
59KB

MD5
8a4ed40073568a2241349a8fc270ca20

SHA1
454bc3edf93ff430d259452e33cc8882ebe00c8d

SHA256
a5a23c15dc2e82b9f59595d91f289873515b9646bc3a42856952b2f4be84bcf9

SHA512
8632b6d97a0dacb67cb0e2b428f154c6348adc3c8ffcdf99b751602f2cf09f507fd6cd8a0a9f1127cfed28605c3005f7cc76263fdd7f785b2bbdbe781f557bdf

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
59KB

MD5
1ee52fdb99e6109c0ba3d0de416e5325

SHA1
e38081bae3779b2333d513f563cf8975daffa656

SHA256
a1ff584bc2ef3c966a973717ab407df25c2d3288747adc52a3207916c9963141

SHA512
c855b3d1d5c994f92bcb03b3aba78d126f0efb74c4c23165864fb4df76839df793cd4f56a454d029a766b2318ca126b45b89c44dc355386833f052bc2774d7dc

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
59KB

MD5
64ae65b3bce1595290d1896a5d366822

SHA1
73dc8c7edda4a31e885a52aee7ae224a75e08042

SHA256
c6526e48f2efe804edcab5ae31a833502e63f39ca6f5c75b133d6eff87c7b0e0

SHA512
dcfc1127601b35767ea672e081658d5686c4198c98f6887fe973ec62bbf9af3344240882db9154768218c4bfb02b28870e0b70a1c2554963cf7825985976f0f0

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
59KB

MD5
58ad3286fffe550605b5ecbbc201e4d2

SHA1
d668144e0f2ff6804a9fa65462673696ec557f46

SHA256
e9f5e21c1a31fa2b2f477bd17b7b287cd0d787acad5e659837a5325d81f271fc

SHA512
ac87651440e07983d3c220529952083596b6d30a8a005dcaf7cebcb30e47d5cc96ad4a323b583540b3ee3288660a5e8e9a0b0bd8b3fc8c618641f55d5aada0df

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
59KB

MD5
b0c82cabe38f94cfc1ba60f0d887271f

SHA1
44be27998c767449e112e29bafabd88af2d9b330

SHA256
256760d89d621f8762ebf94fcc5f02da674a797ec4ab4f5feafa150cd40504f6

SHA512
6df48706588b8ed7cdd241be795b5904a030e37f7c9e2d25a123733f28effe052304c149bd6a3734eae09f519e3a2c2a4fb463068854b521dbd178e84dbca049

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
59KB

MD5
a6b23799de71d1bf5e7e2ddb662da0f0

SHA1
a8c6cd4c5a71f1e087b89a1725f2b4371a251044

SHA256
d07f3a6c595b15fdee43bb81286783243657f2cca2e0a90707124403e1daefa0

SHA512
c0919350186777391aa89ad2277fa17482d6955c5b978e27d91b2667309bfce9bf012d588473d067e77c432b39d7d657835b03c7a2742034434df669238a8ec0

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
59KB

MD5
9ec2217dff4354174c8b03604bf614ce

SHA1
c7bd7ba4b69fe3bec2d9ff5524539a88bfb5a416

SHA256
58685dcd8d2b3bed40bd3718d056e5b340d7419f052dfb5001989cecb9ae664e

SHA512
37f28401fa80ef24ecb28e5e23995928ee79059719f706d55fc8e350ab21658e4526ebe381aa7c2e372c3175393e0f3683e83e9374113cf475b5e28cccddb7c1

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
59KB

MD5
70c57ae4c7988b393b3acdf525e5524c

SHA1
75231485c01621a3288b61607f74c0d5d7942be3

SHA256
99a73f4c0708bb47bc5c4ad2be323e35325b4807821ec6d031ab705bbeba040f

SHA512
792b318329dc52fd3d84bde6712fb7a5c93c6720ed38565128511ab1d56d4a5be7504caab49953a66f80af9ac5a95ea9d56061e00ba93aca58cd9664c840ea86

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
59KB

MD5
3121ad3fe46a1a008fa35ceed9c11352

SHA1
85ad7dda760bc105b443cf35f4f5ae7735b83755

SHA256
de063440baf5587e01f8738dc19f1d2164f96a898f6521c71d6e1c6e1f0dd0f9

SHA512
b2239ad8f2d4dda1d7f57c025f9a7a84cec5575c04488ddb70f8e49475272e032bd728960dede1c9a1225c0f98b1c3a9e091fcee568a8ff481de9e2b806f0729

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
59KB

MD5
5553891eb29c5d06ea5f0d51befdfdf0

SHA1
9448d4e6f3b282563611a63377fe799a917810a8

SHA256
c546bf91b3803f0f1bb64991d21bca52c79283acf3792e8c45867952566170bf

SHA512
8848f34a126aec06f446297bc7ecb2963c7c6d7bf8d2325c6544449aed4c5578a0a3ff86cbcdc25e5fef13f7198c65899d69a5b8a44334c1d9ae46cff1995e57

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
59KB

MD5
ba11ee87fa10aba8c22b3564bd04e7af

SHA1
096661a30e7d698b6f36b9450e203c0a3cc5feca

SHA256
89cebf9eb9c19f76b8086f19e384743b9830021fa0a9cb143e1739d9ac1cf9a1

SHA512
61d4879c472afd8129a38fc156e053c09d68194850db2e4b8811d8ded73d0b94824911e2e145a5063a1cea66af8338dcfdd97894883c378ea2cd90aebdb20ae6

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
59KB

MD5
aaaa290e23f5024624df6cc85dbbd27f

SHA1
9bf14c7a8ab8615593ea5ca106f23bb90a9bc32f

SHA256
2abd83d5816eb34d92229b39a605131a2056d4c6cf5aeeceb52c0c4cb21c07f6

SHA512
8a5ffdcdf7da502f5ef7f81dfabfdd861b8c692822671b4722e4a070ddf4c22daed521a985165df3070ee5d14a91ff37e498b8571bb3b82f878efe7de6df0cf4

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
59KB

MD5
832c53167d5094b5287640593d42dc6a

SHA1
75727e8d530278a86b9b327b15cc16d7499861b9

SHA256
bbff7f88668826f1128fe935a1fd01fee6017716c430d2367e2680423ec5a775

SHA512
13bf68550169b5c0d4ee4513df3f5d92ed343ac8ad075023a6dc192c7c5f38cf71b184f37bd8db400fe5e6ee7b90a2ac6fea66b35b6079ac88feb1815a89c571

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
59KB

MD5
a6d6231b796a4a88aa17128274498ed9

SHA1
a9d6bc3b4c3433ac39340c6d7f31526cb2526508

SHA256
9a91a3ac9efe387cd80a3683b74c6e27bfbbda5337307b60d2bd1414e55cfe24

SHA512
75866e8821cb7be42901439feb4e2aaed38ad940aac24efaa068ccf3d1de17a25737783c43803c653ba760fd0503d50d77c38de237ea0d29b5de21bc6e0c9535

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
59KB

MD5
71dd4dbf3cb1cbcb4610143b60e57530

SHA1
92d214c22300c1d425d2a5dae93c0088d7d45f71

SHA256
f607b36f8e7112135a73e63e61517e434fbb963244bb211ef83611e031b68015

SHA512
222980e3501d7de1dc00b033a41ead326f7d4425a20f8e193cbb17938b2a9fff101da143bb6978e9ad216a388c87018e62d017a09c7a1e725c77a1e28f5f4226

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
59KB

MD5
542fc52549562cd1f41b2b2ce1b0a06f

SHA1
f4d4b668f60e7a0b00351f68ffaabde0c436c982

SHA256
f2bde8fdf0c4a68a1d04848011073b9ba23d7a82851b8cafe4c769ca0c7ca4c4

SHA512
05a87a0f59927e4b117ca115ce66aea942441aae1603d56933e7e46200dad97857fd7c9d3047e71fa539df2b8483493dcd64348a001c204b4756fe3ccf872eef

Download Submit
memory/116-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/116-351-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/496-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/496-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/528-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/528-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/784-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/784-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/972-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/972-373-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1164-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1164-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-309-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-295-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-366-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1812-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1940-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1940-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2180-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2180-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2212-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2212-367-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2324-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2324-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-379-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2900-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2900-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3324-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3324-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3604-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3604-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3924-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3924-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4152-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4152-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4200-357-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4200-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4252-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4252-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4612-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4612-350-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4652-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4652-321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4668-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4668-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4672-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4672-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5180-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5180-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5256-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5256-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5280-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5280-377-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5332-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5332-369-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5396-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5396-368-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5416-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5416-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5532-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5532-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5552-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5552-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5756-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5756-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5788-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5788-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5816-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5816-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5960-365-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5960-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5964-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5964-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5976-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5976-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6020-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6020-362-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6068-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6068-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads