8eb4dc84e5f43f41e5ebb05bbc9a2f17588a81058429eb6b854728ba37f554fa

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
Size

168KB
MD5

1f1778a11d5463fa2f0eef8b91b11250
SHA1

34062bca4dd3ab82b2bc88d2a65e35669e954548
SHA256

8eb4dc84e5f43f41e5ebb05bbc9a2f17588a81058429eb6b854728ba37f554fa
SHA512

d0fc22e1c2b18e129e60685b1ae41ccf840f03fd5ddb9d34260ca216f5599b263af8131ea9d78911d775dd35f5ad2f7ed661553bd5078849cb183477267d39ff
SSDEEP

3072:tfbY0h/EdwpFwpDuJ8mF9YNTyr4p9t4W987u1j5FaoJ5pFwr:tfbD/E0Fwpo8mFCNkq9tr987u1dFVrF2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimcma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ganldgib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halhfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Halhfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikoopij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkofga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ganldgib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe

Executes dropped EXE 39 IoCs

pid	Process
1916	Fqeioiam.exe
5024	Fkofga32.exe
1896	Ganldgib.exe
780	Gpaihooo.exe
2744	Gbbajjlp.exe
2636	Hpioin32.exe
2940	Halhfe32.exe
4620	Hppeim32.exe
3308	Iimcma32.exe
1836	Iondqhpl.exe
3112	Jifecp32.exe
4412	Jemfhacc.exe
908	Jikoopij.exe
4808	Jahqiaeb.exe
2096	Klbnajqc.exe
4572	Lepleocn.exe
3128	Loofnccf.exe
3412	Mfpell32.exe
824	Mokfja32.exe
1112	Nqmojd32.exe
932	Ofckhj32.exe
4928	Ofgdcipq.exe
556	Omdieb32.exe
4516	Pfepdg32.exe
3068	Abcgjg32.exe
2696	Ajaelc32.exe
412	Bmbnnn32.exe
4196	Bpcgpihi.exe
2036	Biklho32.exe
872	Bfolacnc.exe
4964	Bfaigclq.exe
1556	Bbhildae.exe
1684	Cienon32.exe
2196	Ccmcgcmp.exe
4336	Ccppmc32.exe
3108	Cmedjl32.exe
3464	Cacmpj32.exe
2100	Dinael32.exe
4856	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omdieb32.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Ccmcgcmp.exe
File opened for modification	C:\Windows\SysWOW64\Jikoopij.exe	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Cgpfqchb.dll	Jemfhacc.exe
File opened for modification	C:\Windows\SysWOW64\Klbnajqc.exe	Jahqiaeb.exe
File opened for modification	C:\Windows\SysWOW64\Bfaigclq.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Gpaihooo.exe	Ganldgib.exe
File opened for modification	C:\Windows\SysWOW64\Iondqhpl.exe	Iimcma32.exe
File created	C:\Windows\SysWOW64\Ckjfdocc.dll	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Gnobcjlg.dll	Fkofga32.exe
File created	C:\Windows\SysWOW64\Jemfhacc.exe	Jifecp32.exe
File created	C:\Windows\SysWOW64\Nknjec32.dll	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Efoomp32.dll	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mfpell32.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Ganldgib.exe	Fkofga32.exe
File created	C:\Windows\SysWOW64\Ogmeemdg.dll	Nqmojd32.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Fqeioiam.exe	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gpaihooo.exe	Ganldgib.exe
File created	C:\Windows\SysWOW64\Mpaqbf32.dll	Hpioin32.exe
File opened for modification	C:\Windows\SysWOW64\Jemfhacc.exe	Jifecp32.exe
File created	C:\Windows\SysWOW64\Jikoopij.exe	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Ajhapb32.dll	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Biklho32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Hppeim32.exe	Halhfe32.exe
File created	C:\Windows\SysWOW64\Gejimf32.dll	Ofckhj32.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Ccmcgcmp.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Ofckhj32.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Kbpkkeen.dll	Biklho32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Fkofga32.exe	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Iondqhpl.exe	Iimcma32.exe
File opened for modification	C:\Windows\SysWOW64\Jifecp32.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Omdieb32.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Dfbjkg32.dll	Ajaelc32.exe
File opened for modification	C:\Windows\SysWOW64\Halhfe32.exe	Hpioin32.exe
File created	C:\Windows\SysWOW64\Ieicjl32.dll	Jifecp32.exe
File created	C:\Windows\SysWOW64\Dojpmiij.dll	Jikoopij.exe
File created	C:\Windows\SysWOW64\Lepleocn.exe	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Abcgjg32.exe	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Hpioin32.exe	Gbbajjlp.exe
File created	C:\Windows\SysWOW64\Jahqiaeb.exe	Jikoopij.exe
File created	C:\Windows\SysWOW64\Mokfja32.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Nqmojd32.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Biklho32.exe
File opened for modification	C:\Windows\SysWOW64\Hpioin32.exe	Gbbajjlp.exe
File created	C:\Windows\SysWOW64\Halhfe32.exe	Hpioin32.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Loofnccf.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dinael32.exe
File created	C:\Windows\SysWOW64\Ajaelc32.exe	Abcgjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Ccppmc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1036	4856	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaqbf32.dll"	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haclqq32.dll"	Ganldgib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll"	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ganldgib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iimcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll"	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcolk32.dll"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loofnccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmlag32.dll"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjec32.dll"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Halhfe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1916	2548	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe	90
PID 2548 wrote to memory of 1916	2548	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe	90
PID 2548 wrote to memory of 1916	2548	1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe	90
PID 1916 wrote to memory of 5024	1916	Fqeioiam.exe	91
PID 1916 wrote to memory of 5024	1916	Fqeioiam.exe	91
PID 1916 wrote to memory of 5024	1916	Fqeioiam.exe	91
PID 5024 wrote to memory of 1896	5024	Fkofga32.exe	92
PID 5024 wrote to memory of 1896	5024	Fkofga32.exe	92
PID 5024 wrote to memory of 1896	5024	Fkofga32.exe	92
PID 1896 wrote to memory of 780	1896	Ganldgib.exe	93
PID 1896 wrote to memory of 780	1896	Ganldgib.exe	93
PID 1896 wrote to memory of 780	1896	Ganldgib.exe	93
PID 780 wrote to memory of 2744	780	Gpaihooo.exe	94
PID 780 wrote to memory of 2744	780	Gpaihooo.exe	94
PID 780 wrote to memory of 2744	780	Gpaihooo.exe	94
PID 2744 wrote to memory of 2636	2744	Gbbajjlp.exe	95
PID 2744 wrote to memory of 2636	2744	Gbbajjlp.exe	95
PID 2744 wrote to memory of 2636	2744	Gbbajjlp.exe	95
PID 2636 wrote to memory of 2940	2636	Hpioin32.exe	96
PID 2636 wrote to memory of 2940	2636	Hpioin32.exe	96
PID 2636 wrote to memory of 2940	2636	Hpioin32.exe	96
PID 2940 wrote to memory of 4620	2940	Halhfe32.exe	97
PID 2940 wrote to memory of 4620	2940	Halhfe32.exe	97
PID 2940 wrote to memory of 4620	2940	Halhfe32.exe	97
PID 4620 wrote to memory of 3308	4620	Hppeim32.exe	98
PID 4620 wrote to memory of 3308	4620	Hppeim32.exe	98
PID 4620 wrote to memory of 3308	4620	Hppeim32.exe	98
PID 3308 wrote to memory of 1836	3308	Iimcma32.exe	99
PID 3308 wrote to memory of 1836	3308	Iimcma32.exe	99
PID 3308 wrote to memory of 1836	3308	Iimcma32.exe	99
PID 1836 wrote to memory of 3112	1836	Iondqhpl.exe	100
PID 1836 wrote to memory of 3112	1836	Iondqhpl.exe	100
PID 1836 wrote to memory of 3112	1836	Iondqhpl.exe	100
PID 3112 wrote to memory of 4412	3112	Jifecp32.exe	101
PID 3112 wrote to memory of 4412	3112	Jifecp32.exe	101
PID 3112 wrote to memory of 4412	3112	Jifecp32.exe	101
PID 4412 wrote to memory of 908	4412	Jemfhacc.exe	102
PID 4412 wrote to memory of 908	4412	Jemfhacc.exe	102
PID 4412 wrote to memory of 908	4412	Jemfhacc.exe	102
PID 908 wrote to memory of 4808	908	Jikoopij.exe	103
PID 908 wrote to memory of 4808	908	Jikoopij.exe	103
PID 908 wrote to memory of 4808	908	Jikoopij.exe	103
PID 4808 wrote to memory of 2096	4808	Jahqiaeb.exe	104
PID 4808 wrote to memory of 2096	4808	Jahqiaeb.exe	104
PID 4808 wrote to memory of 2096	4808	Jahqiaeb.exe	104
PID 2096 wrote to memory of 4572	2096	Klbnajqc.exe	105
PID 2096 wrote to memory of 4572	2096	Klbnajqc.exe	105
PID 2096 wrote to memory of 4572	2096	Klbnajqc.exe	105
PID 4572 wrote to memory of 3128	4572	Lepleocn.exe	106
PID 4572 wrote to memory of 3128	4572	Lepleocn.exe	106
PID 4572 wrote to memory of 3128	4572	Lepleocn.exe	106
PID 3128 wrote to memory of 3412	3128	Loofnccf.exe	107
PID 3128 wrote to memory of 3412	3128	Loofnccf.exe	107
PID 3128 wrote to memory of 3412	3128	Loofnccf.exe	107
PID 3412 wrote to memory of 824	3412	Mfpell32.exe	108
PID 3412 wrote to memory of 824	3412	Mfpell32.exe	108
PID 3412 wrote to memory of 824	3412	Mfpell32.exe	108
PID 824 wrote to memory of 1112	824	Mokfja32.exe	109
PID 824 wrote to memory of 1112	824	Mokfja32.exe	109
PID 824 wrote to memory of 1112	824	Mokfja32.exe	109
PID 1112 wrote to memory of 932	1112	Nqmojd32.exe	110
PID 1112 wrote to memory of 932	1112	Nqmojd32.exe	110
PID 1112 wrote to memory of 932	1112	Nqmojd32.exe	110
PID 932 wrote to memory of 4928	932	Ofckhj32.exe	111

C:\Users\Admin\AppData\Local\Temp\1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f1778a11d5463fa2f0eef8b91b11250_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\Fqeioiam.exe
  C:\Windows\system32\Fqeioiam.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\Fkofga32.exe
    C:\Windows\system32\Fkofga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\Ganldgib.exe
      C:\Windows\system32\Ganldgib.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        40⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 400
        41⤵
        Program crash
        
        PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4856 -ip 4856
1⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
168KB

MD5
58000829bb365e9571ed1d424f7d4b58

SHA1
ae60e4829d1519ae2fa11e6fa191064d48798fb6

SHA256
e3af6b5a5498f417be370712ac94b2b04ea8d622554e393776fcf6d1157c0d52

SHA512
f27e4554274f445a286589a0545c2dec915aa2b5780c6c9b6119f64cd3553553279bef2706e761e76d08632f2bb13b63195690366cfa0d70788df7423348b580

Download Submit
C:\Windows\SysWOW64\Ajaelc32.exe

Filesize
168KB

MD5
f57b298b96e6e92b091f5749ffad6ff3

SHA1
771609f3c1b03aa3eb5afc512b941bf8f7a55451

SHA256
3b5f32c6b8a6b85f00d8a1882b3a33b4fa1978b2fbd070afcc189efae4c44e98

SHA512
eee84b99af576e6c089c45017e62d4631b52428631c4a63a53c51c343018df43d180fe58283bca219a988a66a589c5a4e60accc40f5672d4bb08a77e0e32bfda

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
168KB

MD5
d8ccef60c7f2986237de1efc98dc13f7

SHA1
6d9c782f8ef9cbf3e97e493748c77a4dab992842

SHA256
93757c3d715e5a394b6d0490fd2a51f330b7397695dc9d7810596781cc71a688

SHA512
7049a6d1600312444a6f4e30274945e574b715ec95400660bf33f5a704f3539e5531acf301f5169746a219978d85a9f1863c5eb53bedd329c7d2baf973366cf3

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
168KB

MD5
83e6808691b9694c2d82400f5b840292

SHA1
ed36c1d14ec8fe6b8783e440fda062c2049c88a6

SHA256
629d3558698654218b78a4dccfcaad854d2caa09748949035f23ec05b72948c0

SHA512
fd2fff16c80e70d36464da38896724e3d9be83236dc67f0cba9937e4520f1b04c1098783198bd74f7e76222d459a824e7cd18079bc17a1f4d297cefb37ba9f76

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
168KB

MD5
b3c3970d5169e8cadcde55e37864bd14

SHA1
1ecab6c7642b0332a131896d00d860b284db36ec

SHA256
708c72a5cf163b3960696ff372707f7819533e4f28602d7825f2ae868ae57638

SHA512
6c5361a8d92356cbf7aecb68c925e147896ab51b033239c859afffaaf7144f943b0a15f9be1715b32a35a8ffbf94c1d0c54b12e991ce3b66b6066bacf27fe4f8

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
168KB

MD5
cceca827d19aed5879ce1ab2abdd0e37

SHA1
de9b6e21057840685ec36b85052b24784647e998

SHA256
d3a9695bec3b960bd63c380be55a7fe19cbf2c8929b7a27421046b43b62910f3

SHA512
8b81f340cc627a1940245324b0b10980d6336df7da2dea398f016ec72de0f46c53db17d81f982eadf2936165a33f36bb5e98d7567c41cba219ea3775b1ee2677

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
168KB

MD5
9cf57f4fe4261646369bd7735cb251ac

SHA1
f22997608628908d5aed29b6d7b23fbd0059be2c

SHA256
f80a6c90aa03595f6a0295e761e66b93e7b7a028908670ad476baa8457f26bd5

SHA512
730267b2360121e2956873d58bcecc4d6cfdc0a352824bd53748e93bf6ab67ff4bed23cd6d36e737525a8c9caf1fb6a4f2a7edb997d8ec88441be37ef829cfa9

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
168KB

MD5
820db2b797aed988c23c9cbaa2ea7914

SHA1
35e3987c6fd39748422c432723ab506cff441dae

SHA256
877c96904dd6200b9d96141479d67401c0540bfc6942bebc93d409ba1238fb3c

SHA512
4a08716b4ecdf927b17ff319ab0a507658194c162766261191a35c7b316fddbaf23e995a8c44e3ba9b958bb8ffd5f07a5fa3d034fad78f839144f083f0b88983

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
168KB

MD5
a4ea9fc3d5f398bbc1e2f47a03741873

SHA1
748eb24df2939cdb6826543ab6ef9bcc36628a23

SHA256
ec13159dbbff883cf6a958bf7219e47e6bec949258e40af3fc4185df98b3df33

SHA512
f7728ed2d394d7504fe4ee2a2320d5c878771350eba9b2f66838fcd15ddb608c62f62792a32a8e06001f7526f04d025b72df3409bad9b032078632dea296dbee

Download Submit
C:\Windows\SysWOW64\Fkofga32.exe

Filesize
168KB

MD5
f4e7ceae2a23e17133e1463126f63321

SHA1
4ae96c321b49cd4f7634e813e6f43918ac46ddb6

SHA256
ee4ccd5f495399cc7f85a21a1206916fab52c4cf6b446d0bfcf35a19adebcc81

SHA512
f9263ba85f602dbb4bfa311356b4d120d6f92d0fd92cc3d6868d5ab06ee223885a8b0d451d0224f5ed28401a2b02f7add2aebb709260e5837caeb4df47a4f42a

Download Submit
C:\Windows\SysWOW64\Fqeioiam.exe

Filesize
168KB

MD5
63a6bed9b31975bb548a6497f735cd96

SHA1
2a5dce094764c8d26d16980cd1b5b4e1e48957f7

SHA256
1b9de9464f3592e04a3d6b6f9b7392cd142d64641112e5dc9f0894f12d5a632a

SHA512
2c6feb6aa5f57498056e18d104280619b00be8a17ea7ad1c7bf077b3bda4b9b6f265f537af5aa14ec6daa62e78ccc62ba765199efe9cd3435c3000bc860a7228

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
168KB

MD5
a179c2c658c655fc8c9c3529b33ae311

SHA1
86f7aeb77ecb87aa4569b2fa667f356d8e360384

SHA256
7aeff6880bb55fed63e5578c8d670f1789f1dc4dde67f71dc18dc44f63db4177

SHA512
7ee708d021c90abe8aa6f56fae4e67537aa742ce7a9f72609b241339fd20b35324646aa16e2ce92f038e9a55a94962d790b3fbbd314907acdd1d8865a164cacc

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe

Filesize
168KB

MD5
497f6256da6607d13e810356ef409ba0

SHA1
ef3b2896cc0f568c107619158024ccf0b120b5d4

SHA256
23a435b6c9cb8b630dd2513784a9e2d2faebfe784c6fbaea1711ed15485babc1

SHA512
d0874fcbc359e75d2af61ba055e98fb87caabfba56e54e302a0a3d9b526eb19218878ee1835ad8e1a55d26f08462a500af8e49a0b66b752c90cbdaf8be1edefb

Download Submit
C:\Windows\SysWOW64\Gpaihooo.exe

Filesize
168KB

MD5
363dae9cf435529515d974fe2b080d8e

SHA1
fbc4852108c2b989bccf844801e646b06e2cb48c

SHA256
6cf95f894304606c8a0a0389a9e9c5ae7ffe38fb2e418a949bf5791b28480681

SHA512
9503b711dcfc1c6716ae2a1fed9a8457f05e284dc65be1b9f9059bf7d023a7e11892365ecb8d5b0c2bde99ce610fd8f41cf9768e2d07aee6afa6c19c509c2a9f

Download Submit
C:\Windows\SysWOW64\Halhfe32.exe

Filesize
168KB

MD5
26a4b977c8ed245353a7501bacc391cd

SHA1
402def2724d8a4bf75321548afc155bde17269d6

SHA256
cd845e7a7f48955332f684a755266cf8faed4e6d74820f249ebc9c3bf0312361

SHA512
266f84c4d2e775158f7b70335246999a2ead4890f6976864add66f0b2346ce1a248567b112a4be334051d19dc639410de04253f76b5a66c21a96f40bf9d54835

Download Submit
C:\Windows\SysWOW64\Hpioin32.exe

Filesize
168KB

MD5
e3af265b119d2deace06cb65f2316e63

SHA1
fccce68e9ef0e1bfd1397fc81058163b34a5fbdf

SHA256
fefce0b71639d53c62aa33007b441296d5a28f78530421969a70c4e7ab0bb605

SHA512
4529b3b0d4f1116adc2bcaf9046d86e4328256efa341393d76acd97914269bbc3e7ac88efccce3b94184a8fbd956617b4e555e57b7814b89468b1728772258e0

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
168KB

MD5
5e71ad11f6d75114fc29f45d87e57e0f

SHA1
1b563959acfccef7142c3497bb54489d0f47e405

SHA256
aa5b3aa3c076ddcda2fe480ac57428e71b85bb996a6c991eb81f2da65b25c980

SHA512
2c6ebc3315cae4df3054b1cc69e82baadb2d3a71dde4bee1f6e3c72c4188a19b9dc80f5e483ed1dbfb170a74f1258c105efdeab77e338bcf333f18fb840ec2ef

Download Submit
C:\Windows\SysWOW64\Iimcma32.exe

Filesize
168KB

MD5
5c736488f8d23b669942775a913d8c24

SHA1
9beb5bad43ddfbec0464483f90cd3d76c5e7c191

SHA256
58ae2a3344a23a7668bf218ea49d94134518fdff045caa30946f7b3f2ecd7c16

SHA512
442a02c56f8faf26123fde6fb724deb7b3aabca54699f6df1b2de03b1244708457d61a5e010c520cd840e652669e20c195706fe5dcae007efae023c1afc50ace

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
168KB

MD5
16fb14aed168ee1ae8bd88836ae55f13

SHA1
d959ba43e5c65bb8ec3f27d879476d5d79866378

SHA256
cb772aebe415dacf9d6b982e4d5a5d2def9f913e78ebb7ddb1228d27bd52f6cc

SHA512
4f7c622f2b16b4c4d24946d91cf2cedc4938268bb88979a5c22d84f4f9906f5d5130c181b276d0eae781142d6ab8ea8171caabb3e65fad0f34e64b075f75b3eb

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
168KB

MD5
7365956993dab4c770dd0f99b3aebc6b

SHA1
e8ab933037935bf07ee61fb9029058342b4efb55

SHA256
cd160922067bd1e3a7dc1d4433ff06889b2d2b778c37dd14d6f230fa33df52c6

SHA512
43d36491c3f881211ec35de33c9743c2433cd3d423fa7a2ab370a93bea73a5a567a697f426e740667f2197abadb4b3f296b0c7cb9792feccf5846b733c7f303a

Download Submit
C:\Windows\SysWOW64\Jemfhacc.exe

Filesize
168KB

MD5
b32daaa980c6acb4ee3d681ae0400e70

SHA1
b82aa2935c50d16ce1bb67dafb27a92a8e372c20

SHA256
a97114bf31d86cae200a0d443bbd1e63c76a2f5904e719968a1fac0ce70f7f0e

SHA512
1e564ca30da3e1cbb9432b4f1916709f38e79dabdc7ac771e0be7445bab3f76ced1c32c0d42bc1a2030d6f90c4567eb5087d44fdff450d9df7b9d9745eca25c5

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
168KB

MD5
deb8ff4a49dab50515f3ab9698be38cf

SHA1
671969d7094480343505924201941d5b33932b06

SHA256
0656f5403e8577274f25e2722bb0a987d27a427d5969b5c90039ab6d3b9bb97f

SHA512
0a4279b02aff7481e66d7c289b590b78ab10f75d46737bfd9933282342c5b4629ae4acaf96228fee35ca18c12fde3138d0194367532781c4ff81b189ffa89546

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
168KB

MD5
abc09b5ca2fad354d9e5593c86760f34

SHA1
1cf55f02b8256753279b34eb948b9457916e7440

SHA256
e17664094c6038fc2ab355d2cbf9e50df56a7ffeddd83555c66563fb12bfbb74

SHA512
468288442ae68558da19d0ee6dfb58e40b7f695354ac424a76a1f9550b8404663965197465453022644ae57f326b22ff09b5235170f37258e6c3a93b5d52d7c9

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
168KB

MD5
fce0b676e42ec65659ecc260ec3bba20

SHA1
9d98b5419fadb185c894db5fafdc8de4dd9b2b13

SHA256
9982de10d9a8a3f40d411df5769196047f0bbfe8b6f7dd5d4d07de63484edf8e

SHA512
d239ac0be8bdef746d87d73838813528b9747adf25934aa4e607ddf570d2c36299b52dc37936f209216c87d3a3faf087d6e12a768ac571c7bd2cc68d56b4a905

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
128KB

MD5
766f43f5a37e775a55196812cb26e00d

SHA1
6d58241e21afe5ce00478b753a72b1391ae1ceac

SHA256
ba1809268c4e4523701082449290fe043f4ce8b39082c1afb0ff85a76ba43a86

SHA512
6e7a6b788b38ac263656867077744b8d88179a0493ce31d2aa90095bb3bf48a5074ee787c50e80624642ae3bb88feee07db93d06bf467aaa46f67d32a636ce54

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
168KB

MD5
7323a3d7685467584d2bfbbfb59e41cc

SHA1
3378fa66dbdb166c918421346358758ee151cf01

SHA256
4984d99af0d3335f29ff82e95e3751d930c3c0786caa49fcc2a1e666af2fc38d

SHA512
3fdca63b4d3a7818c0a47137b2f07700d59e6d26f672382a0f7f80bd2385b2ecf6a2995eaeaf48368bacaa29231c7d62d73a9ecc6d52e3e52af0d6b3d8e3effd

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
168KB

MD5
fe519dccdcd5d233bc1a729e3e5b0f9e

SHA1
4d62ab317da9738e1863b4ec720f6f9a98c0061a

SHA256
da0cd68996323366c105fb9cecae6a74e1ca9de9a13b983fd058fb1edb2a7099

SHA512
917e660bcc9de90fb93193744317135c510bb7ed4f090f46c75d155158641680684c77896faf4c14cff0e1daba579e91ed9210c553acd9861d8050f21527e8af

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
168KB

MD5
68bf9a1c41a6b056c5c0f785e5f37d84

SHA1
c3fed2b009839b6f9adbca3a0a8753d39ce0a3b2

SHA256
b405e7ccebdee161e457de42b5f00c3695e0feedfadc879e16c708bb4c4684af

SHA512
d176b2114bdbad31df39399ea19af2b2429ad1d6b7a195ffafeb333e50fb27f15f786fdf2aacb515b037ea039464109588a88de510e6b6dcfebfa2766a2a3c1e

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
168KB

MD5
24f9555a6fb5df6d23e81c272422d100

SHA1
8f7558fc81ab2a812c5d547b103ce190c77263af

SHA256
383e0ea7ac67218d890d4d513a4efbe4cee286cd54111ac5df912041b38ad17b

SHA512
a50ff19ecddc3f21782a2411e243ea340cf4470e81ec8edb897e9c82edbc94b8d1fcb2bbe4330a800b22edcaabc21bf78150dd01559ec8db803dcc428786a471

Download Submit
C:\Windows\SysWOW64\Nqmojd32.exe

Filesize
168KB

MD5
1f8f8a0e47c92bc9b957023950b35f53

SHA1
fa343c639ea4db4b1ca85de8b8ecad5d3432933e

SHA256
bf1231e0da080fd3af075c78fb1b0f940cb2bd459bfe40ae8c86c602fb43be06

SHA512
62e67a694d4c67a1d6639a890f4d7e5f83b875cdbe7bf949f059995c53a40c0edefbb81f9bfd958ebe0290c7e5f6d96678ad7a346a1f4c1c2e5af3651257b723

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
168KB

MD5
ce567cd8c08218bd36a0268e82e485e9

SHA1
02c4a0c169ce24ad37ba3fdcab61b72faec63e80

SHA256
2faad398b7e2ed11aef91cc74b432a3bc9e09c5a67feb55188fdd0cde270c431

SHA512
368807a10809e48451df4def49bb15c97c621df953381262dac64ad1d47ff9a7be7611787b7a9876daa7293779fb8c7dfc4c8bffa39e96e2815c73217bfff663

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
168KB

MD5
410692b6557acb901b0abb4a62a0a762

SHA1
4a573edbcab3b8038fbe2bb551038ab283a3088b

SHA256
c89153ea3f4e4c0a1e69a313e476593b93899b4bc5e54ef34e07c722b0a26f98

SHA512
43f6b3dc332897827407435521b3d4614bcdfb9f8d3214320f5723b3a026d7a8bd08ab8f79cabf5e4ae65e1609a455530b818f2281a15dc1c549c3c70856d2ed

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
168KB

MD5
969325b1102f3dacd8ce16d86e3b126f

SHA1
2dc872c8d9d2181aa4e46fcebc9d9e784de2a3cf

SHA256
8390196142a19ede5be2ef0c51e3de29b43ad5f0f9176e65639a244139d90141

SHA512
41572c3f92dcf91c406b606d55f374933ca8fccc31822af292e7e86ec41799c17606981949903af15f81cf27e0ff1bd5d88206d9cff927aef8ae4b4573ec6216

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
168KB

MD5
64b0495a6860235bd57b5481d64ef31d

SHA1
fdb2d0953eeab4a9e405d3ae3fca99c37adb3914

SHA256
2b36aa52ce9856f6786d95545b789875e8ca22eec4f41d87fd25e85b3d1adfb5

SHA512
ffdaf870f2cb0b63c00d69cc6e5a04398dd0a7310c65bd61452f01584e06431b5fed19169a67f676f81bbf376a9311b068be6e8873ebb0e91f10bbbe1603dd70

Download Submit
memory/412-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads